FortiGate Security

NSE
Certification
Program
Lesson Overview
7 '
High-Level Features
'
'
'
, Setup Decisions
l
'
,
Basic Administration
_]
'
, Built-In Servers
N
'
' Fundamental Maintenance

J
\..
High-Level Features
Objectives
• Identify platform design features of FortiGate
• Identify features of FortiGate in virtualized networks and the cloud
• Understand FortiGate security processing units (SPU)
Platform Design
•
•
•••
••
••
••
••
•
F :::RTlnET IC> Forllnet Inc. All Rights Reserved. 5

SPUs (Contd)
• Content Processor
•
•
High-speed content inspection
Not bound to interface, closer to applications
....
....
• •
• Encryption and decryption (SSL) CP9
• Antivirus
• Security Processor
• Directly attached to network interfaces
• Increase system performance by accelerating IPS
....
....
• •
NP6
• Network Processor
• Packet Processing
• NP6 provided NTurbo
• Directly attached to network interface ....
....
• •
• System-on-a-Chip Processor SoC3
• Optimized performance for entry level
• SoC3 platforms Include NTurbo
F s::RTlnET © Fortinet Inc. All Rights Reserved. 8

Setup Decisions
Objectives
• Identify the factory defaults
• Select an operation mode
• Understand FortiGate's relationship with FortiGuard and
distinguish between live queries and package updates
Modes of Operation
NAT Transparent
• FortiGate is an OSI Layer 3 router • FortiGate is an OSI Layer 2 switch or

• Interfaces have IP addresses bridge
• Packets are routed by IP • Interfaces do not have IPs

• Cannot route packets, only forward or
block
F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 12

Factory Default Settings
• Port1 or internal interface IP: 192 . 168 .1. 99/24
• PING, HTTP, HTTPS, and SSH protocol management enabled
• Built-in DHCP server is enabled on port1 or internal interface
• Only on entry-level models that support DHCP server
• Default login:
User: admin
Password:
• Both are case sensitive
• Modify the default (blank)
root password
• Can access FortiGate on the CLI
• Console: without network
• CLI Console widget and terminal emulator, such as PuTTY or Tera Term

FortiGuard Subscription Services
• Internet connection and contract required
• Provided by FortiGuard Distribution Network (FON)
• Major data centers in North America, Asia, and Europe
• Or, from FON through your FortiManager
• FortiGate prefers data center in nearest time zone,
but will adjust by server load
.
• Package updates: FortiGuard Antivirus and IPS
•
• update . fo~ t :guard . net Fc:11~r1GuRRCJ~
SUBSCRIPTION SERVICES
• TCP port 443 (SSL)
• Live queries: FortiGuard Web Filtering, DNS Filtering , and Antispam
• servi ce . f o rt: i g ua=d . net for proprietary protocol on UDP port 53 or 8888
• secu rewf . fort.ig uard . ne t for HTTPS over port 53 or 8888

Basic Administration
Objectives
• Manage administrator profiles
• Manage administrative users
• Define the configuration method for administrative users
• Control administrative access to the FortiGate GUI and CLI
• Manage specific aspects of the network interfaces
Administration Methods
CLI
Console, SSH, Telnet, GUI Widget
• ~----
·-·
Cf,., ... .-.~
................
··-··
.
.
'
-
--
~
'
-
.
_
........~.
-·- .
,_,,.,_
..........
_,..............
_,,,.
•• ww...
~ ...
....
~ --·~--
~.-
,_.,
._,_
,.
·- ·--·..,-
& -
,.
..........
. ......
.... ___,_
' ,.... ..... .
?:- ·~ ·~- ·~-----~I
- -· ..
;•
GUI ·- =
FortiExplorer, Web Browser (HTTP. HTTPS) "'.ii ~"" "'"" '" .4 .,.,

Basic CLI Commands
• Use the following commands to check the system status and list all or only non-
default attribute values for an interface
• Use <command set> ? to list commands that you can use with it. For example,
get ? and list sub-commands under <command set> <command>
• Forexample,ex ecut e b ackup?
What to investigate ... CLI commands to Use ...

What is the current status of FortiGate? gei:, sys t em st ai:,us
What are all the attribute values for the system show ful l- configur at i on systen1 int erface <port>
interface?
What are the non-default attribute values for show syst em i n':erface <po:::-t >
the system interface?

Create an Administrative User
New Administrator
User Name admlnl

Type Local User
Match a user on a remote server group
Match all users in a remote server group
System > Administrators
e Dashboard + CruteNew·
~-- Security Fabrk:
)
)
Administrator
I
Passwotd
Confirm Password
Use public key infrastructure (PKI) group
----:1
.- Fort:Mew > REST API Admin Comments Write a comml!nt
+ N~two'k > SSOA<lmin
Adminlsrrator Profile super_admln •
0 System y
Email Address
<> SMS
<> Two-factor Authentication
<> Restrict login to trusted hosts
<> Restr ict admin to guest account provisioning only
Cancel
F :::RTlnET IC> Forllnet Inc. All Rights Reserved. 20

Administrator Profiles-Permissions
System > Admin Profiles
: : : Fortl~teVM64 BR t-<.H
a D¥>h1:>oar<1 > Cdit Admiii Prort1e

>-* SwJmy r:<1trtc >
ltl FoniVh?~\' >
+ N~t.-10l·ie >
Q System
Access i>e·cmts~ns
AlfmiliitfatOfS
A~oes.."ICt>.ntiol Pi:rmis:sio.1t Se! Alt ¥
$«1.1rit•r F.'1(1:1i' 0 NQY.' $ Rt'.:io

Sl:llif16S
M
FOfliView 0Nuci: ~Ro:;.;! O··#i 4261
SNl'-IP Vscr & lnvlct 0 NON: "' kc.id r4 m¢ fil
lC.ti;l<Ktmcnt ~S~i1JJC$
f.ottl(;u;ir(j
FltE\\'illl 0 NO!IO: ~ KcM fjpf .!fydif. 0 (>J;.~.:>l'r
A(l'Y~C~O" Loo & Rei:o: l 0 Nuru: ~R~ h;·ti!? 3 0 (U"..UllT
k~ttrre Vl~!UtY
N~tv.~rk 0 Nt>!W ~wm O/!&i I0 t\Jl"Off'
'~
Cr.nifu;;ite,.; S)'$fCm 0Nn11,. «-P... v1 ni"'l!l!!,, 0 (.uf':nrr
Extemal Resout~~
~...ritv Prc.."'de- 0 Nor..: .,R.,...;.j o.1,5 Q Cv~:,;,n
~ Polit>• & 01.i«U
i Sl.oa nityFiof!!d v•~ 0 Nri~.- ~R(c.d fieti
Q VPN
\V/~Opl&<&c~ 0 Ntwi: ''!'R,,,..J fA·941,@frj
& U::!!r;. Ot:•Ace >
"='" \•/iFi~$>>::t<;hC<:0trol:Ct > '•VIFl&Swltch 0 N"t\E ~~~.~ !3·"~ 1.:11!1
to!! l QS&Rt1x:ir.
0- Mon!t()I" ', L _ ___.I
_ 0.-enide ll!e Timeoot •
F :::RTlnET © Fortinet Inc. All Rights Reserved . 21

Resetting a Lost Admin Password
User: ma i ntainer
Password: bcpb<serial-number>
All letters in <serial-number> must be upper case, for example, FGT60
• All FortiGate appliance models and some other Fortinet device types
• No maintainer procedure in VM , revert to snapshot or re-provision VM
• Only after hard power cycle
• Soft cycle (reboot) does not work for security reasons.
• Only during first 60 seconds after boot (varies by model)
• Tip: Copy serial number into the terminal buffer, then paste
• Only through hardware console port
• Requires physical access for security reasons
• If compliance/risk of physical access requires, maintainer can be disabled
• config sys global
• set admin-maintainer disable
• end

Administrative Access-Trusted Sources
System > Administrators
+ Create New • .I Edit Gil Delete
C> Two-factor Authentication
Name I Trusted Hosts Profile I Type Two-factor Authentication
V Restrict login to trusted hosts I admin 0.0.0.0/0 super_admin Local 0
i::;;;;;:~~7""11~~~~==~:::::::::f=R==tt-~~~~a_d_m_
ITrustedHost l 1 0.0 .1.1 0/3~ _ i n_1~~1-o_o._1._1_0~~~-su_pe~~-ad-m_i_n~~Lo_c_a1~-0~~~~~~~~~~
Trusted Host 2 I 0.0.0 0/0 : X
::====================~
Trusted Host 3 I oo0.0/0 ; x
0 •••
• •
•••
Cancel O Authentication failure
J µ sernarne
[PaS"sword
If admin1 attempts to log in to the FortiGate GUI from any Login

IP other than 1 o . o . 1 • 1 o, they receive this message

Administrative Access- Protocols
Network > Interfaces
• Enable acceptable management
protocols on each interface
independently: lraffoce N><ne pon3 (00 0C 29 'lE EO 61)
AA3S
• Separate 1Pv4 and 1Pv6 Lnc SUCus Up 0
Type Physiea! lrU<1ace
• 1Pv6 options hidden by default
Tags
• A lso protocols where FortiGate is the
Role 0 Unclelined
destination IP: 0 Md Taq C>!eQOIY
• FortiTelemetry
Adli'ess
• CAPWAP
•
•
FMG-Access
FTM
-MM!<
~mo6t iif , If I OHCP
1001~2552550
• RADIUS Accounting
""" (;I~ ., KTTP Gil PN:l O FMG-Acc..s
• LLDP Support ( CN"Nl>P ;<SSH O SNMP
( FTM 0 RO.JS Accounting
• Detecting an upstream Security Fabric r ForoTel<!me
FortiGate through LLDP Receive UOP 0 Use VOOtA Setting Enable ~-atiee
TrJOsm1t LLOP 0 Use VOOPA Setting Enable O..able
<> DHCPSerwr
F :::RTlnET ©Forline! Inc. All 27
Features Hidden by Default
• By default, some features like
System > Feature Visibility
1Pv6 are hidden on the GUI
• Hidden features a re not disabled ~.: Soc:.n.-F~tnc
IM fo't~l?H
• In Feature Visibility, select + Netm1I: [ C> A!MrlOtd Rlll.t.iig cI ~ ent'f StL Cl.IWlr'n •
0 $y5tem •
~----'=====
0 "'6 I <> ....,.,,,., ol
whether to hide or show groups Mrnni~;ra:tors
C11nfl:1V'C lhr foltr-.,;ng Pvt fe<"Jt1,re s frti"' o)
:.-. OUI net-\-Otkin,Erlace ai:Ectet ses.
of features commonly used :r1.14-tcd l'D~'S far admir+stra~cn, s;;Xc
IUl.tll~. fX!I Cy I U~es. S!:OJl l-y polo.es. al'ld
I0 O<.P o)
tl'fWlfl addressas. I <> CNS Fo11r o)
together. o) ol
....... ' I <> '"" o) ( C) Erd«1t1t Corcf'OI o)
F.c;:IJc.trrlO'IC MJ~a!:IU
I C'.) \MF Ccrr.rcller
1 ol I oe.•'«"- 01
Fo:-.G.ixJ 1C) li'CrAIO" PfttClllCU o)
...,,...,., ol
ol I 0 ---F"""' o)
l>j< ol
Ce~i'l(.r.t:s al
~ Pcti:y&.Obect>
al
I O Dvnl:lin & IP Rrp1.1:ali11n al
C. VPN
I <> Or.$ P•l<Y ol
-
& User S..Oe-.,c-e
.. ·MFI & S\'lld'I Corttolft
ol
Q
F i:i RTlnET © Fort1net Inc All Rights Reserved 28

Interface IPs
• In NAT mode, interfaces cannot be Network > Interfaces
used until they have an IP address: E>•- Note that the One-
Ann Sniffer is
• Manually assigned
available only when
• Automatic editing an
• DHCP unreferenced
• PPPoE ltgs interface
Rcle 4) Vn'lef<1rd ·I
0 """ 1)0 CM<llC<V
• Exception: One-Arm Sniffer ~~'~
Ar.ch!ss-ri; rrictfoo OhCP ( Ont1-Attri Sn«~ )

IFJN::lWc)f-. M,asli: 0 0 0 O'C 0 0 C
-+.-
"!I"•
lf 0
, ............. .
~·
~'.la e " a\•:'
· Ml~C./Ol•~t..,
;.s;,"1 ~ ... ""'.... ' ··

: -...,
:...O'°"' •••· 'U'H
·-·CJ
'-l
.
F i:i RTlnET © Fort1net Inc All Rights Reserved 29
Static Gateway
• Must be at least one default
gateway
• If the interface is DHCP or New Slalic Roote
PPPoE, the gateway can be DeSllnaoon 0 fj.ldJI nemet Serw:e

added dynamically 00000000
Interface port2
Ga:eway Address 10 200 2 :2S4
Network > Static Routes
Administra!M< Distance 0 I0
> .f. Crt•ttNtw
~nis
* Stturity f atwic )
Destination
Status i •j#,f iijji 0 Otsabled
~ fortiVtew ) o.o.o.cw
+ Network
Interfaces
= Actvanced Op1ions
DNS Pnomy O O
ONSSerwrs
Packet Captu(e
Cancel
SD·WAN
SD-WAN St• tusChe<k
SD·WAN Rules
Static Routes -Cr
F 5::JRTlnET IC> Forline! Inc. All Rights Reserved. 31

Built-In Servers
Objectives
• Enable the DHCP service on FortiGate
• Enable the DNS service on FortiGate
• Understand the configuration possibilities and some of their
implications
FortiGate as a DHCP Server
Network > Interfaces
Edtl'Wil~
)'(l;rt¥.et-.;l'rl3 r,~"3(JJOC W :re·e(l·62)
!ft~lf$IJ'O:t>'•)'k
I ...,:'t'h P.,.~
+ ~~I.to< , El! l!'°"•I! Create l\lev4 IP Addres.s Assignment Rule

Ltp 0
~nf\)P : •11 F
Ptipi~:t rter':.~
1~~1 1'----C'~'o··""o'======"------~ Type t.iAC Address OHCP Relay Agent
,,... .,....
;:G;«;~.O
..
I.ff"¥):
IW..t>(!IO'_,... · -~ ·~
I \r\Yite a commen: I or.~
•I Ol'G~tt>ff
c :.,,..,"(~
Description
lot.>:.
Match C ritena
)..f;:>~
~AA.C addrt'SS
J
.,..
>.tol~~~(l\ff
Al!l:t~&in ~ mn~~
P•l•(!V~t'-; M!ISk
Ci~~f!®1 i'S'S(~\1'1:«fiTl)lif".El <>

Cl ...,,......-0..:Y::>i>).1· "
Action
~HTTrS. iiJ lnl" e rt..c c 11.t:l tct~-i

O C.._...A...,_., Iii ~SH 0 S"'·'F 2 TELll:;T
o;n.i ~ RltDU$ /t,1;~u~·t1111
+ .. ........
so ~~~l~'Yl(!lfy l«of>O.•t« hl<OI (>
Ro.t~il't' L_or
6 Hi@fjJ§llDI cr~bli: a~:.11 ~ Cancel
TRr~fri1 __op ct u~~v~u~ui-..;1 111!13 O:;:u-1:
.. Ci~~~· ~ E(fl Iii :t'*

_ .§..~_E•111_r_____ "" .="-·__
' to1 1 ·co1i53
11?:'!'1$$1: _J
tit(l>~lCir."-'T;'
Ct..SScMi:

FortiGate as a DNS Server
• Resolves DNS lookups from the internal network:
• Enabled per interface
• Not appropriate for Internet service because of load , and therefore should not be public facing.
• One DNS database can be shared by all FortiGate interfaces:
• Can be separate per VDOM
• Resolution methods:
• Forward : Relay requests to the next server (in DNS settings)
• Non-recursive : Use FortiGate DNS database only to try to resolve queries
• Recursive: Use FortiGate DNS database first; relay unresolvable queries to next server (in DNS
settings)

DNS Forwarding
• Forwarding allows DNS control without the local FQDN database
• Sends query to the external DNS server
Network > DNS Servers Double-click the interface field or
select and lie Edit
6 Dashboard >
DNS Service on Interface
:>,' Security Fabric >
la. FortiView > + Create New #' Edit 9 Delete
+Network T Interface T Mode T DNSFil~ lnterfac.e

lnterfooes Ii!il internai_networkl pgrt3) Recursive MO<le
DNS
DNS Database
DNS Servers fl
+ CreateNew
~~~~~~~~~~-
Packet Capture #'Edit 9 Delete Cana!'l
SD·WAN T DNSZone T Domain Name T Type T View T ITL {seconds) - #of Entries
SD·WAN Status rem<>te.lab remote.lab Master Shadow 86400 3
SD·WAN Rules
Static Routes
student.lab
training.lab
student.lab
training.lab
Master
Master
Shadow
Shadow
86400
86400
3
8 _J
To view DNS Servers in Network, you must make it
visible in System > Feature Visibility > DNS database.

Fundamental Maintenance
Objectives
• Back up and restore system configuration files
• Understand the restore requirements for plain text and encrypted
configuration files
• Identify the current firmware version
• Upgrade firmware
• Downgrade firmware
Configuration File-Backup and Restore
• Configuration can be saved to an external device (',1 . I?\. > ,.. , admin.Q, •
l..,l. \V - L. .J
• Optional encryption
• Can back up automatically
0 System ~
• Upon logout Cl Backup lei Configuration ~1

• Not available on all models '!) Restore
Q Change Password
• To restore a previous configuration, upload file . ~ Revisions
C+ Logout
• Reboots FortiGate I
Restore System Configuration Backup System Configuration
Restore from 11.\.,!IH USB Disk Backup to il.l£!iiji USB Disk

File 0 Upload Encryption C>
~~~~~~~~~
Password Password
Confirm password
Cancel
Cancel

Configuration File Format
Plain text
Model
!lco nf ig-ver s ion.fFGVM6 j..t6 , 2 , iJ- FW~build08 66) : 90'.:: O'.:: : op:node;O: ·;dorn•O: use:r •ad.rnin
# conf_file_ver•l571657382~ ~ : 20
ri builclno- 0$20
ilglobal_vdorn-1 Build
number Build
Firmware major version number
• Only non-default and important settings (smaller file size) Encrypted

• Header shows device model and firmware
• After the header, the encrypted file is not readable
; ~uF\i S~i-tltTj1- BN·-0001 •08 11iiJY
• Restoring configuration - ' a.s• - • y~~lllllll!U!fJlllll

UIHJ.t >Tl' . - . . ,H?fth<,
• Encrypted? Same device/model + build + password required ···-N1V ,
• Unencrypted? Same model required

Model Firmware major version

Upgrade Firmware
• The current firmware version can be
viewed on the Dashboard or in
System > Firmware (or on the CL :
g e t system s tatus ) ~ FortiView
• If there is an updated firmware versionJ, ~-~---,,-----,

you w ill be notified o system Upload Firmware
Administrators
0 Browse
• Firmware can be updated by clicking
Upload Firmware or selecting the FortiGuard Firmware
upgrade option section i!§§i AHavailable

• Make sure you read the Release PATCHES
Notes to verify the upgrade path and © Forti0Sv6.0.2bulld0163

other details FortiGoard
~ Release notes
Advanced
Feature Vislblllty Backup config and upgrade Upgrade
Ta s
F :::RTlnET ©Forline! Inc. All Rights Reserved. 46

Upgrade Firmware Process
1. Back up the configuration (full confi g b ackup on GUI or CLI)
2. Download a copy of the current firmware, in case reversion is needed
3. Have physical access, or a terminal server connected to local console, in case
reversion is needed
4. Read the Release Notes; they include the upgrade path and other useful
information . . . ._ _y . . .
5. Perform the upgrade >

>
(>,............... " " _ , . . , ,•••,.I" lM
I
- ·---
- -· ~-
~.
•
;4.;41rg11n111
...
...,......""'.~'
~ 1'"-•$ff'""
, O ~urn-IC
t..,..,..,
" ~"'-
, @...H~"""Wl/oH(~• •
' tIJ r..orAAoAt<. "110IO- •
• w:r '~-en...., '> (;) r-vfC4~wO'lllt
"'
Jl~l'•.t.o.•\ '
. ......... , @f')<!Of~lt.1111;0
"'

Downgrade Firmware Process
1. Get the pre-upgrade configuration file
2. Download a copy of the current firmware, in case reversion is needed
3. Have physical access, or a terminal server connected to the local console, in case
reversion is needed
4 . Read the Release Notes (Does downgrade preserve configuration?)
5. Downgrade the firmware
6. If required , upload the configuration that matches the firmware version

NSE
Certification
Program
Lesson Overview
' Firewall Policies

)
'
\
' Configuring Firewall Policies

J
: Managing Firewall Policies

I
\ Best Practices and Troubleshooting

J
"""
Firewall Policies
Objectives
• Identify components of firewall policies
• Identify how FortiGate matches traffic to firewall policies
What Are Firewall Policies?
• Policies define:
• Which traffic matches them
• How to process traffic that matches
• When a new IP session packet arrives, FortiGate:
• Starts at the top of the list to look for a policy match
• Applies the first matching policy
• Implicit Deny
• No matching policy? Policy & Objects> 1Pv4 Policy
FortiGate drops packet
a dcfat.lt
m d i!({tt;I!
El d:e:i·n<;pection
m e1e(:t1.I!
C'Dd:1a1,.lt
d ac.0-11 cctian
Implicit Deny
n lrrpl ct Oert}• O Di~~l:id
F :::RTlnET © Fort1net Inc. All Rights Reserve<l. 4

Components and Policy Types
~ Policy & Object$
Objects used by policies ll'v4 Polley
• Interface and interface groups 1Pv4 \flrtual Wi<e Pair

Policy
• Address, user, and Internet service objects IPvS Polley
l?vB \llrtual Wire Pair
• Service definitions Policy
• Schedules Authentication Rules
Mu:tticast Policy
• NAT rules
Local In Policy
• Security profiles IP"4 Dos Policy
Policy types IPvS DoS Po&cy
Addresses
• 1Pv4, 1Pv6
Wil~cardFOON
• Virtual wire pair (1Pv4, 1Pv6) Addresses
Internet Service Oatabase
• Proxy
SeMees
• Multicast Schedules
• Local In Policy VirtuaJIPs
(Origin and destirnation is FortiGate itself) IP PooLS

Protocol Options
• Dos (1Pv4, 1Pv6)
Traffic Shapers
• Traffic shaping Traffoc Shaping Potrcy
Traffic Shaping Profile
How Are Policy Matches Determined?
Incoming and outgoing interfaces Policy & Objects > 1Pv4 Policy
Source: IP address, user Name 6

Incoming Interface
Destination: IP address or Internet Services
Outgoing Interface •
Services Source +
Destination +
Schedule ~lways
:==~~~~~~~~~=1
Action = ACCEPT or DENY Service +
Action -' ACCEPT 0 DENY
Authentication Logging
Security Profile
Simplify-Interfaces and Zones
• Incoming Interface and Outgoing Interface can be interface(s) or a zone
• Zone: Logical group of interfaces
• To match policies with traffic, select one (or more) interfaces or any interface
Network > Interlaces

+ Create New • , Edit 9 Delete Whi By Role Alphabetically
Interface Name - IP/Netmask - Type
Zone ---
- -
---
Virtual Wire Pair 10.200.1.1 255.255.255.0 li!iil Physical! nterface
0 10.200.2.1255.255.255.o Iii Physical! nterface
0 JX?~:J 10.0.1.254 255.255.255.0 Iii Physical! nterface
0 JX?~ll o.o.o.oo.o.o.o ll!il Physical! ntertace
0 .P.'?~~ o.o.o.oo.o.o.o l!i1 Physical! nterface Incoming Outgoing
0 P.0!.1_1() 0.0.0.0 0.0.0.0 ll!il Physical! ntertace
C!I DMZ 0 Zone

!··
i
0 P."~4 192.168.1.1 255.255.255.0 Ill Physical!nterface Zone
!·.. 0 ,P.<?rt~ 192.168.10.1255.255.255.0 Iii Physical Interface
'
~- 0 P."~!> 192.168.20.1255.255.255.0 Iii Physical Interface
I
L.. 0 rt7 o.o.o.oo.o.o.o Iii Ph sical Interface
F S:SRTlnET © Fort1net Inc. All Rights Reserve<l. 7
Matching by Source
• Must specify at least one source (address)
• IP address or range Optional
Polley & Objects > 1Pv4 Policy
• Subnet (f P/Netmask)
Newf><lhcy
• FQDN Mandatory source Setect Entr1C!s
address field lntemet Service

• Geography Nome 0 +
• Fabric Connector Address Incoming Interface ~ port3 • !ill FORTINET
OUtgoing Interface (iii) po1t l • ~ gmail com
• MAC Address Range
Source A student M I:) UNUX_ETH1
1
+
• May specify:
Oie acdress. ajdress group. eolf'll"l31 resourel! ot Internet seMC.e 1s. req1.1ded
• Source User- Individual user or user group
• This may refer to:

• Local firewall accounts
~iiiiiiiiiiil~~=~~~~~~~~~~~
!foJ!_
-.m .,•:::::~:~;?~
........--.. lf:::;;;:;;:;:;:;t:m:N~:;;;~'s"~gr.E'Pl ~miillif
~[~' Sefvk:e oata1>ase Onresol\l«f fQON; tfittort23.com f-t°tn
• Accounts o n a remote server (for example, Active ._-------~------1.________...__ __J
Directory, LDAP, RADIUS)
• FSSO
• Personal certificate (PKl-authenticated) users Warning for
unresolved FQDN
• Internet service database (ISDB) objects
F S:iRTlnET @ Fortinet Inc. AH Rights Reserved 9

Source-User Identification
• Confirms identity of user
• Access to network is provided after confirming user credentials
•
Verify usemame and password
Local user @ Username and password Verified G Authentication

Server
--
---
1
0 Username and password
F S:SRTlnET Cl Fort1nel Inc. All Rights Reserved. 10

Example-Matching Policy by Source
• Matches by source address, user • Source as Internet service database
(ISDB) objects
Policy & Objects > 1Pv4 Policy Policy & Objects> 1Pv4 Policy
Select Entries x Selec:.t Entries
0 ~IT;_ra_in_in~g--------~ Name 0 ITcaining I
1 1~ill
Name Address lnte<nei Setvice Address User lflternet Ser\1ce
[ii port3 Incoming ln:rerface I iiiJ=='==========i
p0013 • I
Incoming Interface
:=---""=~~~~~~~~
• IQ Sean:h I+ l )!ii po1tl
i
· = Q,Sea"Ch
·J~
Outgoing Interface [ ~ po111 • outgoing lrnelface
Cl 'ITTERNET SERVICE (12)
Cl USER {2)
r====~=======~~===i Source ~ma?Or'l'~f\/S 'II AlibabaAlibaba.CIOtJd
Source .IOI LOCAL_SUBNET x Loe.al (2)
+
x & guest - AmazonAWS
Destination + Cisco ?.1erak1
+
& student I
Schedule
SeMee
.
IS
+
·I G Google.Google.Bot
O Google.Google.Cloud
Address User
Internet Service
F :::RTlnET © Fortrnet Inc. All Rights Reserve<l. 11

Matching by Destination
Like source, desti nation criteria can use:
• Address objects:
• Subnet (IP or netmask)
• IP address or address range
• FQDN
• DNS query used to resolve FQDN
• Geography
• Country defines addresses by ISP's geographical location
• Database updated periodically through FortiGuard
• Fabric Con nector Address
• Internet servi ce database (ISDB) objects
F S:SRTlnET Cl Fortonel Inc. All Rights Reserved. 12

Internet Service
• Database that contains IP addresses, IP protocols, Policy & Objects > Internet Service Database
and port numbers used by the most common Name .., T Rep ... Direction
Internet services
G Internet Service Database
• Regularly updated through FortiGuard
0 .Microsoft Outlook 5 Both 1.021
G Google Google Bot 4 SotKCe 31
19 Facebook IM>arsapp 5 Oesbnanon 1,823

• Can be used as Source or Destination in the
firewall policy
Policy & Objects > 1Pv4 Policy
N;::me 0 Tt• twig
• If Internet Service is selected as Source: 1o::orrutt1 l~ie• re oort:J Q, t. ri.
==~-
0...-~11"(1 ll'lltrfll(• jj OOl't1
• You cannot use Address in the Source II .,.?lt"el;Jook <JWltlll~_cm~I
rJ Faceb::okRTAIP
Srurcc •
ra~bo:ok.SSH
=~----..IJ~
e ··~
~~o~kw~~~;::::::J ··'
Face~okWhlts._,p
•
• If Internet Service is selected as Destination: '..d::lres,niA<Cu s c:irncc 1>1 l'l1ota w t'! u~r""et §€'"-'CES
Gi FO!lb'e l ONS
1:1 FortirctFcrbCCol.d
Sct\et:Ule Ii at-rv~
• You cannot use Address in the Source
• You cannot select Service in the firewall policy
F S:SRTlnET Cl Fortinel Inc. All Rights Reserved. 13

Scheduling
• Policies apply only during specific times and on specific days
• Example: A less restrictive lunch time policy
• The default schedule applies all the time
• Recurring • One-time
o Happens at the same time during specified day(s) o Happens only once
of the week
Policy & Objects> Schedules
Polley & Objects > Schedules
New Schedule
Nevi Schedule
Type Ii;Jj.!llli,ijlone·time Type Recurring One- time I

Name [ Maintenance
Name j
Color O Change
Col of
Days li1I Sunday li1I Monday GO Tuesday1;11 Wednesday li1I Thursday b1i Friday 0 Saturday Start Date I 2019/05/17
All Day Start Time 0 Hour 22j ! Minute 1_s_ _
.._j
r12~0~19~ro~s=11=9==========-------i 1
Start Time 0 Hour O Minute 0I j End Date
;===========~ ~===========:
Stop Time Hour O =:J Minute l_o =:J Stop Time Hour ["7 1Minute [0
Pre-expiration event log ol'"C_N
l _u_m""be-r-of-d-
ay_s_
be_fo-re~l""1-"'l=------'====~I
Cancel Cancel
F :::RTlnET 14
Matching by Service
• Service determines matching transmission protocol (UDP, TCP, and so on) and port number
• Can be predefined or custom
• ALL matches all ports and protocols
Packet Firewall Policy
Policy & Objects > Services

Protocol and Port -- Protocol and Port
+ Create New· ~ l 'ii <.

Service Na~ Oetalls IP/FQON ShOw in Service List Rel •
EJ Genernl Q
!il All ANY O Visible t
Ii) All_TC!> TCP/t·6553S 0.0.0.0 O Vlslble 0
II) All...UDP UOP/1 ·65535 o.o.o.o ei Visible 0
Ii) All...ICMP ANY o Visible 0
ijj All_ICMP6 ANY e» Visible 0
o.o.o.o 2
Cl Fortinel Inc. All Rights Reserved. 15
Configuring Firewall Policies
Objectives
• Restrict access and make your network more secure using
security profiles
• Configure logging
Configuring Firewall Policies
System> Feature Visibility
• Mandatory policy name when creating on GUI
I <> Allo\•1 Unnamed Policies I ~
• Can relax the requirement by enabling Allow Unnamed Policies Relax the (equirement for every policy to
have a name when created in GUI.
Enabled by default
UST specify unique name- - ---' Highlights selected entry ict Entries
• Flat GUI view allows: r-
• Select by clicking
• Drag-and-drop
Name 0 lrraining I L
,
' \,,
}
Address
~ Search
User
I - -=:::::::=-- - - --
Internet Service
+ Create
Incoming Interface ii port3 I \ Cl ADDRESS (13)
Outgoing Interface ii port1 /' •'- ii all
ii
conf~g f~rewal: po:icy
Source ~ LOCAL_SUB.t;iET
I )(
FABRIC_OEVlCE
1 FORTINET
e dit ~ all
lIra
Destination )( ·' gmail.com
set naoce "Training''
+ ~ UNUX ETH1
set u~~d 22C4966e-47~7-51 ..
Schedule always ·I IRLoCAL SUBNET!
Service
~r-IDA
==
!il=A=-L-L.:...__======--_J
)C ~ LOCAL_WINOOWS
Universally Unique Identified (UUID)
L + ~ login.microsoft.com
Action ~ login.microsoftonline.com
~ ACCEPT 0 DENY

Security Profiles
• Firewall policies limit access to configured networks
• Security profiles configured in firewall policies protect your network by:
• Blocking threats
• Controlling access to certain applications and URLs
• Preventing specific data from leaving your network
Polley & Objects > 1Pv4 Policy
Security Profiles
AntMrus C) I - default - -
... "
Web Filter
DNS Filter
C) I ml default
C>
... "
Application Control C) IIll default
IPS C) Im default
SSL Inspection Im deep-inspection

Logging
• By default, set to Security Events
• Generates logs based on applied security profile only
• Can change to All Sessions
logging Options
log Violation Traffic
log Allowed Traffic Security Events All Sessions
Generate logs when Session Starts C>
Capture Packets C>

Managing Firewall Policies
Objectives
• Identify policy list views
• Understand the use of policy IDs
• Identify where an object is referenced
Policy ID
• Firewall policies are primarily ordered on a top-down basis
c_:<.;:-· : ig : ire'i.vct _ l ()Cl ~ t: :l
• Policy IDs are identifiers: l~dit ·.:: ()Gl ~ t: ''{_ ~ rj:;.~
• Policy ID is assigned by the system when the rule is created e nd
• The ID number never changes as rules move higher or lower in the sequence
Name Source Destination Schedule Service Action NAT
~. a.II -·
~!~Y.~
J:i.--- -
.Cil F!f'. 0 DENY
[iJ Full_Access ~ LOCAL_SUBNET i;:i all ra always C1J ALL ~ ACCEPT ~ Enabled
B IMI port6 - ~ portS 0

3 DMZ ii;) DMZ ~ all ra always C1l ALL ~ ACCEPT ~ Enabled

Simplify-Groups of Addresses or Services
• You can reference address and service objects individually, or use groups to simplify
policy configuration
IBport3 - port1 (1 · 3)
!il DNS
!:;) lan_1 lj) FTJ>
1 Web_FTP ~ ACCEPT ~ Enabled
a lan_2 lj) HTIP
.l.i.l l-t1TPS
'--~~~~~--tt--~~~~~~~~~~~--~ ---~~~~~~~
New Addres Group
Group Nam Local_LANs commencs
Color '8 Change

Color ra Ch;;nge
IAembe"' \i11l';\S
Members l:I Lan_1 (i) 111
li! HTTP
·• Lan_2
Iii "'WS
El port3 · port1 (1 · 3)
!1 Web.FTP a all ~ ACCEPT ~ Enabled
F S:SR TlnE T Cl Fortinel Inc. All Rights Reserved. 32

Object Usage
• Allows for faster changes to settings
• Reference column shows if the object is being used
• Links directly to the referencing object
Polley & Objects > Addresses I
Name .,. Type Details Visibility Ref.
I El Address 8
'I:) LOCAL_SUBNET Subnet 10.0. 1.0124 ~ 'visible
'I:) all Subnet 0.0.0.0/0 6

Edit Polley
Name 0 OMZ Usage of Address: all )(

Properties of Policy: policy
Incoming Interlace i!i poct6
~~~--i..E-~ " Edit l!!r Delete :_ View list ®View Properties rurrent Usage Possible Uses Attribute ~ J Policy ~
Outeoing Interface ii port4
Source I.ii all
~
----~==~O~bJ~·e~ct~N~a:m:e========:::::::::::~Tt--...,,.:~I poficyid
name
4
D/~Z
Destination l;J all
uuw 52382dd6-4 041 •
srcintf O.name port8
dstin~ Oname port4

Number of times object used
sn:add~O name an
' - - - - - - - ' - - , Referenced by policy ID - - - - - - - - - - - - '

'"dstaddr.O name aii"
F :::RTlnET © Fort1net Jnc. All Rights Reserve<l. 33

Best Practices and Troubleshooting
Objectives
• Identify naming restrictions for firewall policies and objects
• Reorder firewall policies for correct matching
• Demonstrate how to find matching policies for traffic type
Best Practices
• Test policies in a maintenance window before deploying in production
• Test policy for few IP addresses, users, and so on
• Be careful when editing, disabling, or deleting firewall policies and objects
• Changes are saved and activated immediately
• Resets active sessions
• Create firewall policies to match as specifically as possible
• Example: Restrict firewall policies based on source, destination, service
• Use proper subnetting for address objects
• Analyze and enable appropriate settings on a per-policy basis
• Security profiles
• Logging settings

Adjusting Policy Order
• On the GUI , drag-and-drop
Before policy move After policy move
ID Name Source Sc.hedu!e SeMee A.ction ID Name Source Destination I Schedule ISeNice Aetion
1 Full_Access ~ LOCAL_SUBNET ~ aO CO always J.i! ALL ..; ACCEPT CO always Ii! FTP 0
m
!;) all ii;! all DENY
Block_FTP !:ii all e all CO always J.i! FTP 0 DEMY .Ci.•.~ .Ci.1.A.J:.h ..; ACCEPT

Policy Lookup (GUI)
• Identify matching policy without real traffic
• Does not generate any packets
• Searches matching policy based on input criteria
• Source interface
• Protocol
• Requires more granular input criteria
• Source IP address
• Destination IP/FQDN
• Policy lookup checks
• Reverse path forward (RPF)
• Destination NAT, if matching virtual IP
• Route lookup , to resolve destination interface

Policy Lookup Example (GUI)
• Highlights matching policy after search
Polic & Ob·ects > 1Pv4 Polic Polley l ookup
Sourcelntertace ~port3 ~
+ Create New ; Edit I!! Delete Policy Lookup
Protocol I TCP :]
:==~~~~~~~~==:
ID Name Source Destination Schedule Service Action NAT Source I10.0.1.10 I
Source Port
:=:==================:
IOptional(l-65535) I
Oestination (fortinet.com
:==~~~~~~~~==:
I
10 Tra1n1ngl li/ LOCAL_SUBNET lii all CO aMtays !jJ ALL_ICMP _, ACCEPT O Enabled Destination Port [ 443 I
2 FTP Iii all JS all ra aMlays (i) FlP _, ACCEPT O Enabled
Search Cancel
3 Training2 li/ LOCAL""SUBNET
............ .......... ~-F_OJl!Q"l~~()[)l'J ~ ~_lvvay_s _r;i).A.~~)<: !~P. ., ACCEPT ~ E.n~~!ed
.IQ.'"'"b -~~es.~
ID Name Source Destination Schedule Service Action NAT
10 Tra ning 1 !"1l LOCAL_SUBl-IET i;;i all CO always !jJ ALL_ICMP ., ACCEPT
2 FTP ~ all i;;i all CO always Iii FTP O Enabled
3 Tra1n1n92 :Iiil.L9YJ\~_Sl_!E3NE:r ~-F 01tiQ.,t_F()[)l'J CO.al"'~ .Iii ":1,L_l!;l\AP. O Enabled

ia.~•-~_Acc~~~

NSE
Certification
Program
Intrusion Prevention System (IPS)
Objectives
• Differentiate between exploits and anomalies
• Identify the different components of an IPS package
• Manage Forti:Guard IPS updates
• Select an appropriate IPS signature database
• Configure an IPS sensor
• Identify the IPS sensor inspection sequence
• Apply IPS to network traffic
IPS
• Flow-based detection and blocking
• Known exploits that match signatures
• Network errors and protocol anomalies
• IPS components
• I PS signature databases
• Protocol decoders
• IPS engine
• Application control
• Antivirus (flow based)
• Web filter (flow based)
• Email filter (flow based)
• Data leak prevention (OLP) (flow-based in one-arm sniffer mode)
F :::RTlnET <!:> Fort1net Inc. All Rights Reserved 6

What Are Protocol Decoders?
• Decoders parse protocols.
• IPS signatures find parts of a protocol that don't conform.
• For example, too many HTTP headers, or a buffer overflow attempt
• Unlike proxy-based scans, IPS often does not require IANA standard ports.
• Automatically selects decoder for protocol at each OSI layer
Meets protocol
requirements and
standards?
F :::R TlnET <!:> Fort1net Inc. All Rights Reserved 7

FortiGuard IPS Updates
System > FortlGuard
• IPS packages are updated by
FortiGuard. FortlGuard 01$1rlbutlon Nei'IJOrk
1nuus1on Preve ntion 0 Ltce-nsed - exptres on 2021/06/07
• IPS signature databases IPS Oefinilioos 0 Upgrade Database
• Protocol decoders IPS Engine .f$J ~e!slt?n 4.qf!210
• IPS engine f.\aU¢10US URLS ® Version 1.0000 I
...........................
Solnet IPs i~ Vie>.Y l is1
• Regular updates are required to
Sotnet Domains !5 Vie\•} l is1
ensure IPS remains effective.
• Enable push updates to receive
updates as they become available. System > FortiGuard I
AntiVirus & I PS Updates
Accept push updates 0 e> I

• The Botnet IPs and Botnet Use override push <>
Domains subscription is part of a Scheduled Updates C> [ Every= ::J [i ~ Hours
FortiGuard IPS license. Improve I PS quality 0 <>
Use extended IPS signature package <>
C Update AV & IPS Definitions
F S:!RTlnET <1;) Fortinel Inc. All Rights Reserved. 8

Choosing the Signature Database
• Regular
• Common attacks with fast, certain identification (default action is block)
• Extended
• Performance-intensive
System > FortiGuard

AntiVirus & I PS Updates
Accept push updates 6 C>

Scheduled Updates C> I Every • 2 Hours
Improve IPS quality 6 C>
Use extended I PS signature package C>I
C Update AV & IPS Defini tions

List of IPS Signatures
Security Profiles > Intrusion Prevention
Edit IPS Sensor
l rv;ew IPS Si atu res

Name e
'
Comments [ Prevent critical attacks. __J 2S'1SS Active signature
database
Block malicious UR Ls C>
/
IPS Signatures
.
I + Create New .f Edit IOI o..t• Icts.arw IStandard Pad<age 6
IT Severity ;
-·
+ Add Signatures - Target : T OS ; r Action :
~
T Name;
!!ii Delete tl £dit IP £
- - - - 3Com.3CDaemon.FTP~Buffer.°""rfl~ S&rver Windov~ 0J Block •
Name Exempt_IPs Severity Tari
"No matching entries found .3Com.3CDaemonFTP-ServerJnformation.Di.scfosure ~ Clien~ WindO'NS 0J Block
~ 3Com.lntell{gent.Management.Center.loformatlon.Disclowre nm!! Server Windovvs 01 Block
3Com.OfficeConnectAOSL.Wirek:ss.Fire\vallRouter.Oc>S Ill&!!! Server Linux 0J Block
3ivx.MPEG4.File.Processing.8uffer.Overflow M•- I Client Windows 0J Block
3S·SmartGmbH.CODESYS.Web.5erw<.Buffer.°""rflov1 !i•••• Server Windo~vs 01 Block
3S.COOESYS.Gate"Y'1Y·Server.Heap.Buffer.Qve.rflow ~ Server WindO\\IS 0J Block
_I\
Default action
F:::Rr1nEr <i:l Fortinet Inc. All Rights Reserved. 10

Configuring IPS Sensors
• Add individual signatures
• Add groups of signatures using filters T«11lSclo::.-toe<I S'~~t111 c~ 3
SC-11>rity ;o f~t .; 0$
- ti ~~r 'h~M:IY~
...-, Cl~t Vlo'l(~,.IS
Security Profiles > Intrusion Prevention Soo. . . - WiM'1'1r.J
Edit IPSSenSQr i\'x.~PEG+.UJcPr~i11~cr~dlo,\. ~

"""
Clie.i t . - '""'
w.m,..r..
lS-Sl'r.:il\.C~m~.H.O: ll )~':>YS.\'/~b.S..,...wJ11nM..O.....l'1!0."' ~ $:.t\~ W:n:kro>K.
Na m~
3S.CCOESVS.V:lt1:>'~..X1w::.HNP.i!).iffe:.0."1 C"n1'' --" ~"~ Wnd:iws
Comments [ Pre...-ent crltlcat at1a<:k:s. J'T.1GSSDOOCSor.w.~,Corrupt.;.-in ,,...., ""v 'l•\IU:Y~
910ekmaliciousURLs () ¢ ( ! 1115 ) » frO'!i.o!:$7S6]

(~el
AtJtJ Fi!t~
+ Add Signatures 9 Delete , Eolt P C.xemptiOtls
x CS: Wn.:!O'o'n x Pr:itoci¥ HTTP x SCl'lcri':',-. Critic:il x T~t: ~'Qr 0 AddM!t~
~ i~~~f~
N~a~
m ~
e ~~]~ ===·E
:mx e ' . '
p .
t :l P
: s
~ ~~~~======~J
No matd\ing e1ltries found .:\S-S1NN.GT1"..bH.OODESVSW~bS«\w.Ruff"r.°"1
IPS Filters
+ Add Fiiter 1' Ec:Sit Filter

9 Delete
A8NR.&ot~
AOKR.Bt.Xriet
""'" ¢
Adobo>\t;~-l!lut.Jn.1.Rc~r.nuilto.lJR:lCodoi..~.utlo.in
l-------------~-~~~------------~-IMOOU.crob3t.AM.~~errn.~'l'~f0ht.P;;r~vtti".OWrl "
_ _ _,__ Mctic.Aaob:iLeMP.Ccl.;o.~irc.Mieil'luiy.M:lc(up(ion
1
-ll!ml
•• •••
~
Servtl
All
All
~N
_o_m
_ at
_ch
_
---'-
iog
~ e_
ni
_·r_
ies
_ foo
_ _______________________
Fitter Details,___
n_
d , MoboAuclut.Gorlccn1'11:rhM.Si;)'k.O'·wtlaw
Serve(. Clict1l \'An:lwlll. fvb<:OS
SQrvcr. Clirnt \f!tn:'low~
~---------------------------------< Atl~r¢b~UCCPtoNE-OesC1ltxlon 14&m~.O.~f.1.,, S=-rver. Oi~t Vlindows.~ ,.
• 1 116 >
F:::Rr1nEr 11
Configuring IPS Sensors
• Add rate-based signatures to block traffic when the threshold is exceeded during a
time period
• Track the traffic based on source or destination IP address

Rate Based Signatures
I
EnabCe
V
Signature
Apache.HTTPO.mod_http2.0oS
Threshold Duration (seconds) Track By Action Block Duration (min
j()() 1 Source IP 0- Block Exi>ires 4 Hour(s)
CJ FTP.Login.Brute.Force 200 10 Source IP 0l 81ock Expires 1 Hour(s)
CJ IMAP.Login.Brute.Force 60 10 Source IP 01 Block Expires 1 Hour(s)
CJ Ms.Active.Dlrectory.LDAP.PacketHanclling.DoS 100 1 Source IP 01 Block Expi res 5 Minute(1
CJ MS.RDP.Connect ion.Brut e.Force 200 10 Source IP 0) Block Expires 1 Day(s)

IPS Sensor Inspection Sequence
Name SERVER
Comments -----= 0.'2-1!5
IPS Signatures
+ Add Signatures 9 Delete .~ ~ 'IP"
. - - - - - - -..;.;
N;;:am
:;;e;;,.._ _ _ _ _ _....;8;;;;><,em
.;;,;'i;;
llt;,;l;.
Ps.,Seve
= •n•irv
..._l;;;a,,.
r<>;i;;•e.,
t ...,;S-., ;,;·iiie.__..o;;;s.___Acti
eIVIC ___.o;;,;n._...Pac
..-,ket logging Individual signature actions
4D.WebStar.TomcalPlugin.Remote.Buffer.Overflow 0 '===="'.. Server TCP, HTTP Windows , . Monitor 0 will override any filter-based
action.
IPS Filters
+ Add Filter .f Edit Filter 9 Delete

Fiiter Details Action
Severity: \•••••I ~ Default 0
Location: server
OS: Windows
Rate Based Signatures
IEnable Signature Threshold!Duratlon (seconds)ITrack BvT Actlo; iBlock Dul

Cancel
F !:oATlnET rt! Fort1net Inc. All Rights Reserved. 13

Configuring IP Exemptions
• Exempt specific source or destination IP addresses from specific signatures
• Only configurable under individual IPS signatures

E.r.t IPS Sensor tOgll security
-~--==
hl$h_HCuritv [Voew IPS Si1Ntur
Blod<s all CritialJl.l~ium ond

Comments somtl.ow-ityvulno<3bilities ... .,.,,
IPS Signatures
r Name ~IPs
3Com.3CDaemon.FTP.$eMr.lnformatlon.Oi>elosure 1
~
. Ta....,...t Service OS
Action Pad<el l.o\
' Client TCP. FTP Windows II Default 0
-
Edit IP Exemptions )(
+ Create New ii' Edit 9 Delete

Source IP/Netmask I Destination IP/Netmask
10.0.1.10/ 255.255.255.255 0.0.0.0/0.0.0.0

IPS Actions
• Choose what action to take when a signature is triggered

IPS Signatures
+ Add Signatures 9 Delete ' Edit IP Exemptions

Name Exempt IPs Seve!,!!y Target Service OS Action Packet logging
l'Ad6be.RoboHelp$erver.Upl~.Ait</,CQde.Ex~\ltion 0 Server' JCP. lin'P Windows
0 Pass -
IPS Filters Monitor
el Block
+ Add Filter ; E r Delete
0 Reset
Filter Details Action Packet
Severity: ..... Default
Location: server el Block 0 ~ Quarantine
OS: Windows
Packet Lo in
Apply
F !:!R TlnE T r/J Fort1net Inc. All Rights Reserved 15

Enabling Botnet Protection
• The botnet database: Securit Profiles > Intrusion Prevention
• Now part of the IPS contract c.m..t · O•i;
• Should be used with the I PS l'\llew •s Q~'Jl"
profile to maximize the
protection of internal endpoints
-
• Can be enabled only on the ....., ,.... ....... .....
IPS profile starting FortiOS 6.2
• Administrators can set the
action to Block or Monitor ~ty - ·- -
0
• IPS logs are generated

Applying IPS Inspection
• Add IPS sensors as security profiles to firewall policies
New Polley
,_,_Op6ons
NAT C>
P Pool ConllpXaHDn Use Dynamic P Pool
Pres.~~ Poff:
PrOlocol °""""'
<>
m- .,
S•c:wiy Protlle'S
Antl'Virus CJ
WtbF•er CJ
ONS Filler CJ
AppllcaUon Conlrol <>
PS
SSL lnSpecnon &
Minor SSL Traffic lo Interfaces CJ
lo In 0 Hons
Log Allowed Traffic Cl S&Wl'il)' Evsnls

Gtntn1l t logs \Yhtn session Slaf'ls CJ
Capture Paokels CJ

IPS Logging
Log & Report > Intrusion Prevention
Ii
..... .+. ~Add Filter
aJ
~ Date/Time Severity Source Protocol User Action I Count

- rn
='·'A
Attack Name
Details
1 ~ 12:17:17 10.200.1.254 tcp -Orowed PHPBBYiewtopfc.Highl:ght.Code.Exeaiti~ •

2 ~ 12:17:07 10.200.1.254 kp drowed PHPBBYiewtoPic.Highlight.Command.E><ecutic
3 ~ 12:16:57 •• 10.200.1.254 tcp dropped PHPBBYiewtoPic.Highlight.Code.Execution
4 ~ 12:16:47 10.200.1.254 tcp dropped PHPBBYiewtoPic.Highlight.Command.Executic
5 ~ 12:16:37 10.200.1.254 tcp dropped Netvrorl<Activ.Web.Server.XSS
6 ~ 1 2:16:2 7 10.200.1.254 tcp dropped Netwon<Activ.Web.Server.XSS
7 ~ 12:16:1 7 10.200.1.254 tcp drowed NetworkActiv.Web.Server.XSS
8 ~ 12:16:07 10.200.1.254 tcp dropped NetworkActiv.Web.Server.XSS
9 ~ 12:15:57 10 .200.1.254 tcp dropped Netwotl<Activ.Web.Server.XSS
10 ~ 12:15:47 10.200.1.254 tcp dropped NetworkActiv.Web.5erver.XSS
13 ~ 12:15:17 ~ 10.200.1.254 tcp dropped NetworkActiv.Web.Server.XSS
15 dro
F !:!RTlnET r/J Fort1net Inc. All Rights Reserved 18

NSE
Certification
Program
Lesson Overview
7 '
, Inspection Modes
' '
Web Filtering Basics
'
l
'
Additional Proxy-Based Web Filtering Features
'
r
'
,
DNS Filtering
8
'
\,_ , Best Practices and Troubleshooting

/
Web Filtering Basics
Objectives
• Describe web filter profiles
• Work with web filter categories
• Configure web filter overrides
• Configure custom categories
• Submit a FortiGuard rating request
Why Apply Web Filtering?
• Mitigate the negative effects of inappropriate web content
• Preserve employee productivity
• Prevent network congestion
• Prevent data loss and exposure of confidentia l information
• Decrease exposure to Web-based threats
• Prevent copyright infringement
• Prevent viewing of inappropriate or offensive material
F i:i!RTlnET ~Forline! Inc. All Rights Reserved. 12

When Does Web Filtering Activate?
www . acme . com

Internet
Filtering is based on
DNS Request response
DNS Response S
• Web Filter:
SYN • H':'TP 2 00
SYN/AC K
ACK I
~ ~
I
•
HTTP GET I
HTTP 200 g
I Web F i_
_ lte~r__ ,,,_..I
li),.,..,,
F !:!RTlnET r/J Fort1net Inc. All Rights Reserved 13

Web Filter Profiles-Flow Based
• Profile-Based • Policy-Based
• Configure Web Filter profile • Apply application control and URL categories
• FortiGuard categories directly in a firewall policy
• Static URL
• Rating option
• Apply profile to firewa ll policy
Security Profiles > Web Fiiter Polley & Objects > 1Pv4 Polley
Edftl'l>lcy
.,,.,
c.-...en:. Ctu..t ...e,cw<i;
- Name 0
lncom"'& lnttrflCO
Full,.Access
8 ~
c 0 l.«41 ¥:i:t=-" Outgoing Interlace port I

' 0 ll'Mt. ... "l..._.. Soutce x
0-0 A.JU1,t...,,, .... ( 1r....-1 [ l.i LOCAl.,SU9NE:
o O 80!l'$M':mr;or,,.mi.:
' oo.. . .,.11.•····....,.,. ,. . . '

0 0 'Scc"'r,•:t.
0- 0 t .....1111 IJ "'""""
•
Destination
[ l?j Ill • x
0 C/> VM!IK
Sc~ule [Ci • IWl'(S

Cl s~, URt. ••lt•r
Service Ii) Al.L x
l..fiLFll:t (~
f1 '"l'°'l'r" .oiul'/. '""''"',...•Iliff •!r)..,.1111111 Cl •

\'.<el>ClrlMlflllf t> Applic;itlon
L •
a ~11no opt1•"• URL Category •
.Al.-... •..CO: lllS .....4 \ lllllf\l M:to:t;~ (>
Action 0 DENY IS LEARN
ft "'•\111..&l•f""... "•"" ''"''"'·"" c.
F :::RTlnE <!:> Fort1net Inc. All Rights Reserved 14
Web Filter Profiles-Proxy Based
• Proxy-based options
• Configure Web Filter profile Security Profiles > Web Filter
• FortiGuard categories Edit Web Filter Protile default ... 0 Iii ~
• Search engines Name

• Static URL Comments IDefault\Veb filter ing.
• Rating option
<> FortiGuard c.ategory based fllter
• Proxy option
c> Allow users to override blocked categories
• Apply profile to firewall policy
C Search Engines
• Create or customize profiles C Static URL Filter
• Default C) RatingOptioos
• Monitor-all
~ Proxy Options
/\pp!y
F S:!RTlnET <1;) Fortinet Inc. All Rights Reserved. 15

FortiGuard Category Filter
• Split into multiple categories and subcategories
• Release new categories and subcategories compatible with updated firmware
• Older firmware has new values mapped to existing categories
• Live connection to FortiGuard

• Active contract required
• Seven-day grace period on expiry
• FortiManager can be used instead of FortiGuard

•••
•••••

How Are Categories Decided?
• FortiGate queries the FortiGuard
Distribution Network (FON) to
determine a website category
• The web filter rating is determined by: · .,... "'"'""

• Human rater
• Text a nalysis " Web Filter Lookup
-....,.... v,..,r......~
s.iali i.;.::.., U11CP1U(•
• Exploitation of web structure
-·"""·~- .. -..
Pit'- .,-;h 1 ,. \Jll:t a• 11'1II'11!1!11 I'•• t.,><oto. 11•~ ;01 1~ v .0110 "°•100"' II I·~ VRi ·~ 11111'...lt30Jtit1.' 4, Y\ltl n\\!)' ~.,;l l lMJ
• Description of categories: URt. ~Ol'e.,.ll'111 VOO'iltol ~""'!! ll'.l!h "1 l Utr 11111"f'f(fJ. of- t111,.ifi.:i'> u1i.Jlltn:
• www.fortiguard.com

How Does It Work?
....
:.: URL categories
Categories action :
& ··. Internet

Proxy-Based Flow-Based
(Profile)
Flow-Based
(Policy)
Allow Allow Firewall policy

Security Profiles > Web Filter action
C> FordG1Jard category b~sed filter
Block Block
Show OM •
-o ~ local ea.- QI''""'' Monitor Monitor
o- o Pot.,.,..,yuabit O AA --=--t
;
D 0 Ad\llt/Mat1n Conb!nt ~ /.!ltJW - Warning Warning
0 e
9anc1W1dlh Const.1ming
D · 0 Security Risk " A<ithenticate
O· ~ General Interest - Personal 0 Block Authenticate Authenticate
0 · e Gener~! Interest .. Business <!> Monitor
D · 0 Unrated & 'Naming
·------·'----'-------
Cotegoiy Uuge Quota 0
,_ _.1._..._...cr,,,MP...Ne:w , i:.-,1 m r·,,, t
F :::RTlnET ©Forline! Inc. All Rights Reserved 18

Web Filter FortiGuard Category Action-Warning
~ Allow
• Category Action .
A Authenticate (~ © youtub~.(:OM C Q.. S.totch
0 Block !:! FortiGate • FGVMOIOO•••
® Monitor
A warning
---.. I
"""'"""'""""==:!!
9JFortiGuard ~~l!W F ::SRTlnET.
• Exclusive for web filtering Web Page Blocked!

• Proxy mode
You have tried to access a web page \vhich ts in violation of
• Flow mode (p rofile-based only) -- your internet usage policy.
• Not available in: URL; http;//youtubE!*COm/

Category: Streaming Media and Download
Client IP: 10.0 .1.10
• Static URL filtering feature server IP: 216 . 58. 192.238
User name:
• DNS filter profile Group name:
To have the rating of this \veb page re ~ evaluated ~

c lj&k hera,
• FortiGuard warning page

I Proceed I I Go !!<>ck I
• Customizable warning interval

Web Filter FortiGuard Category Action-Authenticate
Security Profiles > Web Filter I
~-- "> Bandwidth Consuming WebFilter_Group 1. Define Users and Group
f··· O File Sharing and Storage ..
~·············· · · · ······· · · · ··· · · · · · · ··:
..
J
i f··· O Freeware and Software Oownlo.ads : .•-. 2. Set Action =Authenticate

j f···OInternet Radio and TV ..•
! [- 0 Internet Telephony .• 3. Select User Group
J f···"' Peer-to --er File Sharinn .
I [~ ;; Streaming Media and Download "I
l
~--· 0 Security Risk .• Web Filter Block Override
.......................•.......•......•....
i
~--0 General Interest - Personal If VOi> "IC\lt' lt'Cl'l Qf.:l"lt ed O"t:'rri:I!' ettotien 11n·,i~:. ;.., )"OUI ~d'!in$trOI)!, )'0:1 C.:."1 cnl :o: \'C~·r
*···OGeneral Interest - Business 1.CMl'l ~ll'• .OM p.OCl;'l<Cfd hll~ tc !Jllh lll'fll,dllt.: lltC'C' 10 thli \'llcc:kc;d v.•11?1-p:i;i~. ")'la. !'ID <'l:lt
l-¢ve ~"'-""" 'rivi'c:ge:. s;'ec$e coitcc~ ~·G11r ~i.iCuotG1 -~o qch «>:e~~ t ) the wct~p~qc .
lj;a-n.;im~ : ~------~
P~s=·11ord: L
I c.:.i'"'"' I
Edrt Fifter
Warning Interval www . yout u b e. com

[ 5 I Miriute(s) • I
Selected User Groups
I WebFiller_users o lO
Internet
Cancel

Threat Feeds
• Dynamically import external Security Fabric > Fabric Connectors

block lists from an
~
HTTP server FcriVie'N
+ Nel'.¥Ork
)
)
llreol Feeas
• Block list to enforce special

security requirements
O System
~ Poley & at;ocrs
a security Prontos
0 )
)
)
@ @@@
Dama.in Name FcMiGuard IP Address t.iiit..1are Hash
.QVPN )
C.tege<y
• Long-term or short-term policies
t :l•OC<o::::.< •o<O.
• Dynamically imported , any new ~~

changes are instantly imported ~
by FortiOS
--
-·
..... ~··
........ _
....,_... "t·•-··~ ,,,.._............... ~ .P.oe.
A hi
..,.
•••~-u,.t>t.••W.Jo
r ...... .,, '""'ljl"

.:
U'll l t ' • I - ........-:.. ft ~·'"""<<lll'.;*•lilftOUoA
1nl-'11t1~~~:i!l(ln!_Q"
tmttl
F :::RTlnET © Fort1net Inc. All Rights Reserved 21

Using Threat Feeds
Securi!}' Profiles> Web Filter I
h-11V\'d:) S:.ltr.r Hi;tfr.
• Where can it be used? M~l'IV: .,

• FortiGuard Category O'.n11f*'(S Oel&~l"•~b ll!~:i:l~ . l~:.-:~
<> ft>rtiG"1•rd IH,.t,~oryl>ued fiktt

• Web filter profile - Under Remote Categori "1C::.
I 0 ·I
• SSUSSH !Inspection profile - Under Exempt from r·$ Rr.rmteC.lll!!jOll~:
L $ t.t)~l:i
S-C." AJ I
"'
SSL Inspection in Web Categories ..,
.!.... ;;. r , ..
• Firewall IP Address Security Profiles> DNS Filter

• DNS filter profile - Under External IP Block Lists
• Source/destination in proxy policy
- Static Oomau~ Fdt~r
Domain Filter C>

Extemal IP Block Lists <> B ~faddJ-esses I( I
• Domain Name
• DNS filter profile - Under Remote category
Security Profiles> DNS Filter
C> FortiGuard e-ategory b~s•d filter
Showl 0 All
T-<:> Remotec·aregories
, I ~ t.ty-Ooma1nlist
'
•
Web Rating Override
• Override the rating applied to a host name by FortiGuard service
• Host name reassigned to a completely different category and uses that action
• Rating overrides are checked prior to contacting FortiGuard for a rating
• Override applies to FortiGate device only

• Changes are not submitted to FortiGuard subscription services
• Host names only

• google . com ~
• www . google . com.../'
• www . google . com!index .tt~l
• goog l e . * lC
lC

Web Rating Override-Configuration
• Changes a website category, not the category action
• Make an exception
Security Profiles > Web Rating Overrides

+ Create New ~ Edit 1'!1 Delete 0: Custom Categories ro;s;rch
Edit Web Rating Overrides
URL I www.something.com II lookup Rating
Override to
Category I Bandwidth Consuming

Sub-Category I Peer-to-peer File Sharing
F S:!RTlnET
Cancel
--
ort1net Inc. All
Custom Categories
• Additional customized
Security Profiles > Web Rating Overrides categories can be added
+ Cr•at• New -' °'' 11 D
URl Stal us
• Categories in use cannot

be deleted
WWW.ting.com Mollclous Wcbsilts Search Efwinesand Portals
Custom Categories
Name I
Number of Ovenide URls Number of Web Filter Profile References
customl 0 1
custom2 0 1
Cancel
'- -

URL Filtering
Security Profiles > Web Filter • Check against configured URLs in
URL filter
1:1 Static URL Filter • Entries are checked from top to
Block Invalid URLs C>
bottom
URL Filter ID I • Four possible actions:
• Allow: Access is permitted. Traffic is
+ Create 't. Del Q.St. ch passed to remaining operations,
including FortiGuara web filter, web
URL Type Action Status
content niter, web script filters, and
.'\.SOmethlng\.(orglbiz} Reg. Expression 0 Exempt ~ Enable antivirus scanning .
somewhere.• Wildcard * Monitor ~ Enable • Block: Attempts are denied. User
www.someslte.com/someURL Simple 0 Block ~ Enable given a replacement message.
• Monitor : Traffic is allowed through.
Log entries are created. Also subject
~o all ot)1er security profile
URL: www. somesite . com/someurl inspections .
• Exempt: Allows traffic from trusted
~ource~ to bypass all security
Block inspections.
• Types of URL patterns:
• Simple, y.iildcards. or regular
expressions
Internet

FortiGuard Rating Submissions
• Request to re-evaluate a website's rating:
I System > FortiGuard I
Filtering
S Uve URi Rating Support
" Veb Filter- Cadle C> I
Cle ar cache aner 60 I Minutes
A nti-Sparr1e ach~ C> Clear cache after I 30 I f'Ainutes
FortiGuard Fi ~ri ng Port 5 3 i :!!i:l!I
,,,,
• UHL
Filtering Services Availability % Check Again
veury
VVeb Filtering Q
AAti-SDam
Reque&t re-e\'llluat1on of a URL'S
category
• Request for a website rating: www.fortiguard.com
Web Filter Classification Rating Request

Rating Suggestion
URL
Att.:ich a screen$1'1ot lmate flle

, Ol~ Fo!i;l !,...,.11·-e t i.e,tn
F S:!RTlnET If;) Fortinet Inc. All Rights Reserved. 27

Best Practices and Troubleshooting
Objectives
• Understand HTTP inspection order
• Troubleshoot filter issues
• Investigate FortiGuard connection issues
• Apply web filter cache best practices
• Monitor logs for web filtering events
HTTP Inspection Order
EXEMPT
(from ALL further inspection)
Exempt
ortiGuar
URL Category Display Page
Filters
Filter
Block Block Block
Block Page Block Page Block Page

Apply the Filters
• It's not working? Why?
• Did you apply the security profiles to the firewall policies?
co~fig f i~ewa : : policy
• Did you apply the SSL inspection profile, if needed? Cdl:: 1 ..-~~~~~~~~---
• Is FortiGuard SONS service accessible for DNS filters? s e:: c.nsfilter-DJrotile <prcfile>
se:: weofilter-protile <prcfile>
:1 ex::
Policy & Objects > 1Pv4 Policy e~d
Security Profiles co~tiq ti=ewa __ protile-grc~p

edi:: <q=ouo ~a~e>
·I ,,
AntNirus <>
Web Filter C) I& default
se:: dr1sfilter-profile <p r o fil e>
se:.. ·w eo11 1 11 Ler - pro~ 111 e <prcfi le>
DNS Filter 001 E31 default • :icx::
Application Control <> e:id
<>
IPS
ProxY Options IE'!l default ,
·I ,
SSUSSH Inspection IEl certificate-inspection ·I

FortiGuard Connection
• FortiGuard category filtering requires a live connection
• Weight Calculation: default= (difference in time zone) x 10
• Goes down over time (never below default)
• Goes up if packets are lost
d~agc ose d e bug ra~icg

Web Filter Cache
• Improves performance by reducing requests to FortiGuard
• Cache is checked before sending a request to the FortiGuard server
• FortiGate remembers response of visited websites
• TTL settings control the number of seconds the query results are cached
• Request is considered a rating error after timeout (15 seconds as default)
• UDP and HTTPS ports 53 or 8888 for FortiGuard or FortiManager communications
• Enabled by default- default TTL is 60 minutes (3600 seconds)
System > FortiGuard
Flltenng
Web Filter Cache <> Cleor cache after 60 Minutes

Ano-Spam Cache <> Clear cache after 311 Minutes
FortiGuard Filtering Protocol
config s y stem fort i gua r d ~~~~~~~~~~
FortiGuard Filtenn PM set we b fil te r - c a che [ e nable I di s able ]

set we bfil ter-cach e- ttl < 00 - 864 0 0 >
F1ltenng Services Availability
1
'\, Check Again
Web Fitterlng O
Anti-Spam 0
set we bfilte r-t i meout < -3 0 >
end
Request te·l!valuanon of a URL's category
F !:oA T lnET rt! Fort1net Inc. All R ights Reserved. 54

Web Filter Log
• Record HTTP traffic activity, such as:
• Action, profile used, category, URL, quota info, and so on
Log & Report > Web Filter

cI .t. II o Add Finer -l=A CD Details
•• Oate/l'ime User Souroe Action URL Category O~ption I initiator I Stnt/ ~eceived
1 10:20:04 10.0 .1.10 passthtough detectportal.firerox..conl/ lnlotnlation Technology 367 8 /0 B ~
2 10:20:00 10.0.1.10 blocked detectportal.flrefox.com/sucte$S.txt Information iectmologv 297 8 /0 8

3 10:20:00 10.0.1.10 blocl<ed detectportal.fifefox.com/sucoess..txt Information 'Technology 2970 /0 B
4 10:20:00 10.0.1.10 blockl?d dettttportal.f1refox.oont1suctess.txt Informalion i echnology 297 8 /0 B
5 10:20:00 10.0.1.10 block.e d detectportatfl refox.oom/su~s.txt fnf(l(mation Tecllnology 2978/0 8
6 10:20:00 10.0.1.10 blocl<ed detectportatfirefox.conv'success.txt lnf0<mat1on 'Technology 2970 / 0B
7 10:20:00 10.0.1.10 block<.od detectportal.f1rerox.co1n/success.txt tnrotmation Technology 5948/3848 I
da t e - L' Ul tJ ·\j 1 l tJ t ime ~ l U : .::U : U 4 l o g i a - " U:ili Ul J::SlL' tv
_p e - ut m suotv _p A,_., -' ' \,,·~t'.f
,....., -1 I'" ~ l t- '0-
eventtype=" f tgd .al l ow " level ="notice " vd=" roo~ " l og~ime = l5162 9960 3 policy i d = l
sessionid=1839 srcip = l 0 . 0 .1. 10 s~cpo rt = 36542 srcir1tf= ''port3''
s r cintfrole= "undefined" dsti p =205.250 . 85 .4 8 dstport =80 dsti n tf=" portl "
ds t intfro l e = ''u ndefined'' prot o = 6 service= '' HTTP''
h os t name ="detectportal.f i refo x .com" p r ofile="defaul t " ac::ion=" pass t .hrough "
reqtype=" di rect " url= " / " . sentbyte=3611. :rcva: y:e u c1i r e J;!" i on : ouL1 oing :1..sg=J' URL
be l ongs t.o an allo ~._;e d ca:.egory ir1 pc.J , ~· :~'' !:!:! G :!:~o;:! - " d ..-..mb!L n 11 ;-- ;!t - 52 J
F :::RTlnEr <1;) Fortinet Inc.

I
All Rights Reserved. 55

FortiGate Security

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

FortiGate Security

Загружено:

Авторское право:

Доступные форматы

NSE

' Fundamental Maintenance

F :::RTlnET IC> Forllnet Inc. All Rights Reserved. 5

F s::RTlnET © Fortinet Inc. All Rights Reserved. 8

• FortiGate is an OSI Layer 3 router • FortiGate is an OSI Layer 2 switch or

• Packets are routed by IP • Interfaces do not have IPs

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 12

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 13

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 14

F s::RTlnET © Fortinet Inc. All Rights Reserved. 18

What to investigate ... CLI commands to Use ...

F s::RTlnET © Fortinet Inc. All Rights Reserved. 19

User Name admlnl

F :::RTlnET IC> Forllnet Inc. All Rights Reserved. 20

a D¥>h1:>oar<1 > Cdit Admiii Prort1e

$«1.1rit•r F.'1(1:1i' 0 NQY.' $ Rt'.:io

A(l'Y~C~O" Loo & Rei:o: l 0 Nuru: ~R~ h;·ti!? 3 0 (U"..UllT

F :::RTlnET © Fortinet Inc. All Rights Reserved . 21

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 24

Cancel O Authentication failure

If admin1 attempts to log in to the FortiGate GUI from any Login

F s::RTlnET © Fortinet Inc. All Rights Reserved. 25

TrJOsm1t LLOP 0 Use VOOPA Setting Enable O..able

F i:i RTlnET © Fort1net Inc All Rights Reserved 28

• Exception: One-Arm Sniffer ~~'~

Ar.ch!ss-ri; rrictfoo OhCP ( Ont1-Attri Sn«~ )

;.s;,"1 ~ ... ""'.... ' ··

PPPoE, the gateway can be DeSllnaoon 0 fj.ldJI nemet Serw:e

F 5::JRTlnET IC> Forline! Inc. All Rights Reserved. 31

+ ~~I.to< , El! l!'°"•I! Create l\lev4 IP Addres.s Assignment Rule

Ci~~f!®1 i'S'S(~\1'1:«fiTl)lif".El <>

~HTTrS. iiJ lnl" e rt..c c 11.t:l tct~-i

.. Ci~~~· ~ E(fl Iii :t'*

F s::RTlnET © Fortinet Inc. All Rights Reserved. 36

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 38

+Network T Interface T Mode T DNSFil~ lnterfac.e

Packet Capture #'Edit 9 Delete Cana!'l

SD·WAN Status rem<>te.lab remote.lab Master Shadow 86400 3

F s::RTlnET © Fortinet Inc. All Rights Reserved. 39

• Upon logout Cl Backup lei Configuration ~1

Restore System Configuration Backup System Configuration

Restore from 11.\.,!IH USB Disk Backup to il.l£!iiji USB Disk

F s::RTlnET © Fortinet Inc. All Rights Reserved. 44

• Only non-default and important settings (smaller file size) Encrypted

• Restoring configuration - ' a.s• - • y~~lllllll!U!fJlllll

• Unencrypted? Same model required

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 45

• If there is an updated firmware versionJ, ~-~---,,-----,

upgrade option section i!§§i AHavailable

Notes to verify the upgrade path and © Forti0Sv6.0.2bulld0163

Feature Vislblllty Backup config and upgrade Upgrade

F :::RTlnET ©Forline! Inc. All Rights Reserved. 46

5. Perform the upgrade >

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 47

F 5::JRTlnET IC> Forllnet Inc. All Rights Reserved. 48

' Firewall Policies

' Configuring Firewall Policies

: Managing Firewall Policies

\ Best Practices and Troubleshooting

F :::RTlnET © Fort1net Inc. All Rights Reserve<l. 4

• Interface and interface groups 1Pv4 \flrtual Wi<e Pair

Policy types IPvS DoS Po&cy

• Local In Policy VirtuaJIPs

(Origin and destirnation is FortiGate itself) IP PooLS

Edit IPSSenSQr i\'x.~PEG+.UJcPr~i11~cr~dlo,\. ~