Vous êtes sur la page 1sur 271

FortiGate Multi-Threat Security and Systems I

Administration, Content Inspection and VPNs


Student Guide

FortiGate Multi-Threat Security and Systems I


Student Guide
1 June 2014
FGT1-500005-E-20140417

Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc., and other Fortinet names
herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names
may be trademarks of their respective owners. Copyright 2002 - 2014 Fortinet, Inc. All rights reserved.
Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may
be reproduced in any form or by any means or used to make any derivative such as translation,
transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States
Copyright Act of 1976.

Table of Contents
VIRTUAL LAB BASICS .................................................................................. 7
Logging into the Virtual Lab ................................................................................................. 7
Transferring files to the VM .......................................................................................................................... 12
Using HTML instead of Java ........................................................................................................................ 12
International keyboards ................................................................................................................................ 13

Topology .............................................................................................................................. 14
Troubleshooting Tips ........................................................................................................... 14

MODULE 1 ................................................................................................... 16
Lab 1: Initial Setup and Configuration .................................................................................. 16
Objectives .................................................................................................................................................... 16
Time to Complete......................................................................................................................................... 16
Exercise 1 (Optional) Configuring Network Interfaces on Student and Remote FortiGate Devices ........... 17
Exercise 2 Exploring the Command Line Interface ..................................................................................... 19
Exercise 3 Restoring Configuration Devices ............................................................................................... 21
Exercise 4 Performing Configuration Backups ............................................................................................ 23

Lab 2: Administrative Access ............................................................................................... 24


Objectives .................................................................................................................................................... 24
Time to Complete......................................................................................................................................... 24
Exercise 1 Profiles and Administrators ....................................................................................................... 25
Exercise 2 Restricting Administrator Access ............................................................................................... 27

MODULE 2 ................................................................................................... 28
Lab 1: Status Monitor and Event Log................................................................................... 28
Objectives .................................................................................................................................................... 28
Time to Complete......................................................................................................................................... 28
Exercise 1 Exploring the GUI Status Monitor .............................................................................................. 29
Exercise 2 Event Log and Logging Options ................................................................................................ 31

Lab 2: Remote Monitoring ................................................................................................... 33


Objectives .................................................................................................................................................... 33
Time to Complete......................................................................................................................................... 33
Exercise 1 Remote Syslog Logging and SNMP Monitoring ........................................................................ 34

MODULE 3 ................................................................................................... 36

Lab 1: Firewall Policy ........................................................................................................... 36


Objectives .................................................................................................................................................... 36
Time to Complete......................................................................................................................................... 36
Exercise 1 Creating Firewall Objects and Rules ......................................................................................... 37
Exercise 2 Policy Action .............................................................................................................................. 39
Exercise 3 Configuring Virtual IP Access .................................................................................................... 40
Exercise 4 Configuring IP Pools.................................................................................................................. 43

Lab 2: Traffic Log ................................................................................................................. 45


Objectives .................................................................................................................................................... 45
Time to Complete......................................................................................................................................... 45
Exercise 1 Enabling Traffic Logging ............................................................................................................ 46

Lab 3: Device Policies ......................................................................................................... 47


Objectives .................................................................................................................................................... 47
Time to Complete......................................................................................................................................... 47
Exercise 1 Enabling Device Identification ................................................................................................... 48

MODULE 4 ................................................................................................... 52
Lab 1: User Authentication .................................................................................................. 52
Objectives .................................................................................................................................................... 52
Time to Complete......................................................................................................................................... 52
Exercise 1 Identity-based Firewall Policy .................................................................................................... 53

MODULE 5 ................................................................................................... 55
Lab 1: SSL VPN................................................................................................................... 55
Objectives .................................................................................................................................................... 55
Time to Complete......................................................................................................................................... 55
Exercise 1 Configuring SSL VPN for Web Access ...................................................................................... 56
Exercise 2 Configuring SSL VPN for Tunnel Mode ..................................................................................... 59

MODULE 6 ................................................................................................... 62
Lab 1: IPSec VPN ................................................................................................................ 62
Objectives .................................................................................................................................................... 62
Time to Complete......................................................................................................................................... 62
Exercise 1 Site to Site IPsec VPN............................................................................................................... 63

MODULE 7 ................................................................................................... 66
Lab 1: Antivirus Scanning .................................................................................................... 66
Objectives .................................................................................................................................................... 66
Time to Complete......................................................................................................................................... 66

Exercise 1 Antivirus Testing ........................................................................................................................ 67

MODULE 8 ................................................................................................... 70
Lab 1: Email Filtering ........................................................................................................... 70
Objectives .................................................................................................................................................... 70
Time to Complete......................................................................................................................................... 70
Exercise 1 Configuring FortiGuard AntiSpam ............................................................................................. 71

MODULE 9 ................................................................................................... 73
Lab 1: Web Filtering............................................................................................................. 73
Lab Objectives ............................................................................................................................................. 73
Time to Complete......................................................................................................................................... 73
Exercise 1 FortiGuard Web Filtering ........................................................................................................... 74

MODULE 10 ................................................................................................. 78
Lab 1: Application Identification ........................................................................................... 78
Objectives .................................................................................................................................................... 78
Time to Complete......................................................................................................................................... 78
Exercise 1 Creating an Application Control List .......................................................................................... 79

Lab 2: Traffic Shaping .......................................................................................................... 81


Objectives .................................................................................................................................................... 81
Time to Complete......................................................................................................................................... 81
Exercise 1 Limiting YouTube Traffic ........................................................................................................... 82

Lab 3: Selective Application Control .................................................................................... 83


Objectives .................................................................................................................................................... 83
Time to Complete......................................................................................................................................... 83
Exercise 1 Block Wikipedia Editing ............................................................................................................. 84

APPENDIX A: ADDITIONAL RESOURCES ........................................................ 85


APPENDIX B: PRESENTATION SLIDES ........................................................... 86
Module 1: Introduction to Fortinet Unified Threat Management ........................................... 87
Module 2: Logging and Monitoring....................................................................................... 108
Module 3: Firewall Policies .................................................................................................. 127
Module 4: Firewall Authentication ........................................................................................ 158
Module 5: SSL VPN ............................................................................................................. 174

Module 6: IPSec VPN .......................................................................................................... 188


Module 7: Antivirus .............................................................................................................. 200
Module 8: Email Filtering ..................................................................................................... 222
Module 9: Web Filtering ....................................................................................................... 241
Module 10: Application Control ............................................................................................ 258

Virtual Lab Basics Logging into the Virtual Lab

Virtual Lab Basics


In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to the
lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different laboratory, such as devices physically located
in your classroom, please ignore this section. This is applicable only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your trainer.

Logging into the Virtual Lab


1. Run the TrueLab System Checker. This will fully verify both:

compatibility of your computer with the virtual lab environment's software, and

that your computer can connect

It can also diagnose problems with the Java Virtual Machine, company firewall, or proxy server.
Use the URL for your location.
North America/South America:
http://truelab.hatsize.com/syscheck
Europe/Middle East/Africa:
http://truelab.hatsize.com/syscheck/frankfurt/
Asia/Pacific:
http://truelab.hatsize.com/syscheck/singapore/
If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the "Status" field will display "SUCCESS".
Continue to the next step.

FortiGate Multi-Threat Security and Systems I

Virtual Lab Basics Logging into the Virtual Lab

If "FAILED" appears, read the messages to identify the problem. For help fixing problems, either click
the link for the troubleshooter or ask your trainer.
2. With the user name and password that your trainer provides, log into the URL for the virtual lab.
Either:
https://remotelabs.training.fortinet.com/

FortiGate Multi-Threat Security and Systems I

Virtual Lab Basics Logging into the Virtual Lab

https://virtual.mclabs.com/

3. Select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.

4. Select a screen resolution for the virtual lab's Java applet, then click Open.

FortiGate Multi-Threat Security and Systems I

Virtual Lab Basics Logging into the Virtual Lab

A list of virtual machines that exist in the virtual lab will appear. Your trainer can describe each of the
virtual machines in the lab.

From this page, you can access the console of any of your virtual devices by either clicking on the
devices square, or selecting System > Open.
5. Click K1-Windows to open a connection to that server.

FortiGate Multi-Threat Security and Systems I

10

Virtual Lab Basics Logging into the Virtual Lab

A new Java applet window should open within a few seconds. (By default, the web page uses Java to
connect to each VMs console. If this fails, you may need change browser settings to allow Java to run
on this web site.) Depending on the virtual machine, the applet provides access to either the GUI or a
text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will connect
to this VM.

FortiGate Multi-Threat Security and Systems I

11

Virtual Lab Basics Logging into the Virtual Lab

Note: If your computers connection with the virtual Windows server times out or if you are
accidentally disconnected, you can regain access by returning to your browser and
opening the Java applet again.

Transferring files to the VM


When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to the
VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM, you
could create it on your computer, then drag it into the Java application window that is connected to the
Windows VM. Typically the destination folder is C:\Uploads.

Using HTML instead of Java


By default, when you choose to open a VM, your browser will download and use a Java application to
connect to the virtual labs VM. This means that Java must be installed, updated, and enabled in your
browser.
Alternatively, you can use HTML5 instead. Click the Settings button, then disable Use Java.

FortiGate Multi-Threat Security and Systems I

12

Virtual Lab Basics Logging into the Virtual Lab

When connecting to a VM, your browser will then open a display in a new window or tab.

International keyboards
If special characters in your preferred language dont display correctly, keyboard mappings may not be
correct. To solve this, you can copy and paste between your computer and the Java applet. Alternatively,
you can use an on-screen keyboard. To do this, click the keyboard icon at the top of the applet window.

FortiGate Multi-Threat Security and Systems I

13

Virtual Lab Basics Topology

Topology
The network diagram below shows the configuration of your virtual environment.

Each students lab contains:

Windows 2003 Server


2 FortiGate devices
Windows XP
Linux Server

Troubleshooting Tips

Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or WiFi. For best performance, use a stable
broadband connection such as a LAN.
Do not disable or block Java applets. On Mac OS X, since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On Windows,
if the Java applet is allowed and successfully downloads, but does not appear to launch, you can
open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and
change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.
Prepare your computer's settings:
o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go
to sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If during the labs, particularly when reloading configuration files, you see a message similar to
the one shown below, the VM is waiting for a response to the authentication server.

FortiGate Multi-Threat Security and Systems I

14

Virtual Lab Basics Troubleshooting Tips

To retry immediately, go to the console and enter the CLI command:


exec update-now

FortiGate Multi-Threat Security and Systems I

15

Module 1 Lab 1: Initial Setup and Configuration

Module 1
Lab 1: Initial Setup and Configuration
This first lab will provide an initial orientation to the CLI and administrative GUI and will guide the student
through the basic setup of a FortiGate. This lab will demonstrate how to properly backup and restore a
configuration file, as well as manipulate administrative access to a FortiGate unit.
If during the labs, particularly when reloading configuration files, you see a message similar to the one
shown below, go to the console and enter the CLI command execute update-now.

This message indicates that the FortiGate VM is waiting for a response from the authentication server.
The execute update-now command will resend the request and force a response.

Objectives

Distinguish between an encrypted and non-encrypted configuration file


Describe how to back up and restore configuration files
Recognize model and build information inside a configuration file

Time to Complete
Estimated: 15 minutes

FortiGate Multi-Threat Security and Systems I

16

Module 1 Lab 1: Initial Setup and Configuration

Exercise 1 (Optional) Configuring Network Interfaces on Student and


Remote FortiGate Devices
The steps below only need to be performed if your virtual lab set-up has been started from a blank
FortiGate image. Before proceeding, please check with your Instructor to confirm if these steps are
required for your particular classroom lab configuration.
1. Connect to the console of the Student FortiGate device and at the login screen, enter the default
username of admin (all lowercase) and leave the password blank.
To access the Student FortiGate device using the GUI, you must first modify the port3 interface settings
by executing the following CLI commands:
conf system interface
edit port3
set ip 10.0.1.254/24
set allowaccess http
end
You have now configured the port3 interface with an IP address and device access settings.
2. Enter the following command to check your configuration:
show system interface
3. Open a web browser and enter the following URL to access the GUI for the Student FortiGate:
http://10.0.1.254
4. Accept the FortiGate units self-signed certificate or security exemption if a security warning appears.
HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other available
protocols include SSH, PING, SNMP, HTTP and Telnet.
Note: To access the FortiGate GUI using a standard web browser, cookies and
JavaScript must be enabled for proper rendering and display of the graphical user
interface.
The login page of the Student FortiGate device should now be displayed. Please do not log in at this
point. You will have the opportunity to explore the FortiGate units GUI in a later exercise.
If you are not presented with a login page, check with your Instructor before proceeding.
5. Connect to the console of the Remote FortiGate device and at the login screen, enter the default
username of admin (all lowercase) and leave the password blank.
6. Enter the following CLI commands to set the port4 IP address and access control settings for your
device.
conf system interface
FortiGate Multi-Threat Security and Systems I

17

Module 1 Lab 1: Initial Setup and Configuration

edit port4
set ip 10.200.3.1/24
set allowaccess http ping
end
7. Next, check the route configuration by executing the following command:
show router static
If there is no static route configured on port4, execute the commands shown below to set this static
route. (Routing will be explained in more detail in a later section.)
conf route static
edit 0
set device port4
set gateway 10.200.3.254
end
8. You can enter the following commands to check your configuration:
show system interface
show router static
At this stage, you will not be able to connect to the remote FortiGate device until you have configured
your student FortiGate device with routing information and a firewall policy to allow that management
traffic. This configuration will be added later.

FortiGate Multi-Threat Security and Systems I

18

Module 1 Lab 1: Initial Setup and Configuration

Exercise 2 Exploring the Command Line Interface


In this exercise, students will be introduced to the FortiGate command line interface (CLI).
1. Connect to the console of the Student FortiGate device and at the login screen enter the default
username of admin (all lowercase) and no password.
2. Type the following command to display status information about the FortiGate unit:
get system status
The output displays the FortiGate unit serial number, firmware build, operational mode, and additional
settings.
3. Confirm that the firmware build is the correct version for this class.
4. Type the following command to see a full list of accepted objects for the get command:
get ?
Note: The ? character is not displayed on the screen.
At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to scroll one
line at a time. Press <q> to exit.
Depending on objects and branches used with this command, there may be other sub-keywords and
additional parameters to enter.
5. Press the up arrow key to display the previous get system status command and try some of the
control key sequences that are summarized below.
up arrow, or CTRL+P
Previous command
down arrow, or CTRL+N
Next command
CTRL+A
Beginning of line
CTRL+E
End of line
CTRL+B
Back one word
CTRL+F
Forward one word
CTRL+D
Delete current character
CTRL+L
Clear screen
CTRL+C
Abort command and exit branch
CTRL+C is context sensitive and in general aborts the current command and moves up to the previous
command branch level. If already at the root branch level, CTRL+C will force a logout of the current
session and another login will be required.
6. Type the following command and press the Tab key 2 or 3 times.
execute <tab>
The command displays the list of available system utility commands one at a time each time the Tab
key is pressed.
7. Type the following command to see the entire list of execute commands:

FortiGate Multi-Threat Security and Systems I

19

Module 1 Lab 1: Initial Setup and Configuration

execute ?
8. Enter the following CLI commands and compare the available keywords for each one:
config ?
show ?
config begins the configuration mode while show displays the configuration. The only difference is
show full-configuration. The default behavior of the show command is to only display the
differences from the factory-default configuration.
9. Enter the CLI commands shown below to display the FortiGate units internal interface configuration
settings and compare the output for each of them.
Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to
complete the command key word. Use this technique to reduce the number of keystrokes to enter
information. CLI commands can be entered in an abbreviated form as long as enough characters are
entered to ensure the uniqueness of the command keyword.
show system interface port3
show full-configuration system interface port3

FortiGate Multi-Threat Security and Systems I

20

Module 1 Lab 1: Initial Setup and Configuration

Exercise 3 Restoring Configuration Devices


From the Windows Server, you first will need to connect to the student FortiGate device and restore the
configuration file needed to complete the upcoming exercises.
1. Open a web browser and connect to the following URL to access the GUI on the student FortiGate
device:
http://fgt.student.lab
2. Go to System > Dashboard > Status. Under System Information, click Restore.

3. Browse the Desktop and navigate to the Resources > Module1 > Student folder.

Select the file student-initial.conf and click Restore.


After restoring the configuration, the FortiGate will automatically reboot. The length of the boot
process is affected by how complex the configuration is. The more complicated the configuration,
the longer it will take to parse it and complete the boot process.
Most configurations take less than 1 minute to complete the reboot process.
4. Reconnect to the GUI on the student FortiGate device and verify the restored configuration.
Go to System > Network > Interface and check your network interfaces.
FortiGate Multi-Threat Security and Systems I

21

Module 1 Lab 1: Initial Setup and Configuration

Go to Router > Static > Static Route and check your default route.
5. Next, perform the following steps on the student FortiGate to verify the DNS configuration settings for
the student and remote FortiGate devices. These DNS settings have been added to simplify access to
the lab devices.
Go to System > Network > DNS Server and review the student and remote DNS zones.
In the student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for the student
FortiGate device (10.0.1.254) and the Windows Server (10.0.1.10).
In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for the
Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).
6. From a DOS command prompt on the virtual Windows Server, execute the following commands to
verify the DNS lookup functionality. DNS requests are being sent to port3, and recursive DNS requests
are allowed on this interface.
nslookup server.student.lab 10.0.1.254
nslookup fgt.student.lab 10.0.1.254
nslookup pc.remote.lab 10.0.1.254
nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are:
nslookup [-option] [hostname] [server]
7. In a web browser on the virtual Windows Server, connect to the following web pages to verify that the
GUI of the student and remote FortiGate devices can be accessed using their DNS hostnames:
http://fgt.student.lab
http://fgt.remote.lab

FortiGate Multi-Threat Security and Systems I

22

Module 1 Lab 1: Initial Setup and Configuration

Exercise 4 Performing Configuration Backups


1. Connect to the GUI on the student FortiGate device by accessing the URL:
https://fgt.student.lab
2. Go to System > Dashboard > Status and under System Information, click Backup.

3. Select Encrypt configuration file and enter the password: fortinet. Click Backup and save the
encrypted configuration file to the Desktop with the filename student-initial-enc.conf. (You may need to
modify the web browsers settings to prompt for the location to save files. For Firefox, go to Tools >
Options > General and select Always ask me where to save files.)
Caution: When backing up the FortiGate units configuration, be sure to use a
naming convention that you understand and which identifies both the date and the
device information. Every time that you log in and make changes to your device
(even if the change seems minor or insignificant), you should ALWAYS make a
backup of the configuration file. This will always be the best form of protection
against problems.
4. Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the file studentinitial-enc.conf and click Restore.
This time you will need to enter the password fortinet as this file is encrypted.
5. Using WordPad or Notepad++, open the file student-initial.conf. In another instance of WordPad,
open the file student-initial-enc.conf and compare the details in both.
Note: In both the normal and encrypted configuration the top of the file
acts as a header, describing the firmware and model information this
configuration belongs to.

FortiGate Multi-Threat Security and Systems I

23

Module 1 Lab 2: Administrative Access

Lab 2: Administrative Access


The aim of this lab will be to demonstrate how to create and modify administrative access permissions.

Objectives

Identify the steps to create a new administrative user


Recognize the options to restrict administrative access

Time to Complete
Estimated: 10 minutes

FortiGate Multi-Threat Security and Systems I

24

Module 1 Lab 2: Administrative Access

Exercise 1 Profiles and Administrators


1. From the GUI on the student FortiGate device, go to System > Admin > Settings and select Enable
Password Policy.
Configure the password policy using the following settings:
Minimum Length:

Enable
1 Upper Case Letter
1 Numerical Digit
Enable
Enable Password Expiration:
90 days
Once the settings have been modified, click Apply to save the changes.
Must Contain:

2. Log out of the GUI, then log in again and you will be prompted to enter a new administrator password.
Enter a new password that meets the requirements configured above.
3. Next, go to System > Admin > Admin Profile and create a new Admin profile called
Security_Admin_Profile. Set Security Profile Configuration to Read-Write and set all other permissions
to Read Only.
Once the profile settings have been modified, click OK to save the changes.
4. Go to System > Admin > Administrators and click Create New to add a new Admin user called
Security_Admin. Set Admin Profile to the new profile you created in the previous step.
By doing this, you are limiting this administrators access so that they will only able to modify and create
security profiles.
Note: Administrator names and passwords are case-sensitive. You cannot
include the < > ( ) # characters in an administrator name or password.
Spaces are allowed, but not as the first or last character. Spaces in a name or
password can be confusing and require the use of quotes to enter the name
in the CLI.
Once the administrative user settings have been entered, click OK to save the changes.
5. To view the configuration for administrative users and profiles, type the following CLI commands:
show system admin
show system accprofile
6. Log out of the GUI on the student FortiGate device. Log in again as the Security_Admin user
created earlier.
7. Test this administrators access by attempting to create or modify various settings on the Student
FortiGate device. You should observe that this admin user is only able to configure settings under
Security Profiles.

FortiGate Multi-Threat Security and Systems I

25

Module 1 Lab 2: Administrative Access

For convenience in the labs, the admin password will not be set in the configuration files used in the
subsequent modules.

FortiGate Multi-Threat Security and Systems I

26

Module 1 Lab 2: Administrative Access

Exercise 2 Restricting Administrator Access


1. Connect to the GUI on the remote FortiGate device by accessing the following URL:
http://fgt.remote.lab
Log in with the default username of admin (all lowercase) and no password.
2. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts Only. Set
Trusted Host #1 to the address 10.0.2.0/24. Click OK to save the changes.
Now, try connecting to the GUI of the Remote FortiGate device again. What is the result this time?
Because you are connecting from the 10.200.1.1 address (because of NAT on the Student FortiGate
device) you should notice that you are no longer able to connect to the device since restricting the
connecting source IP using Trusted Hosts.
3. Attempt to ping the IP address 10.200.3.1. You should note that the ping no longer responds. This
type of access is also affected by the restriction on source IP which we have configured above.
4. Go to the console of the Remote FortiGate device and enter the following CLI commands to add
10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account:
conf sys admin
edit admin
set trusthost2 10.200.0.0/16
end
5. Test the GUI and ping access again to the IP address 10.200.3.1. You should now be able to
connect to the GUI of the Remote device and ping it as well.
6. Go to System > Dashboard > Status and under System Information, click Details for Current
Administrator.
The administrators currently logged in to the FortiGate unit are displayed.
7. By default, an administrator has a maximum of three attempts to log in to their account before they are
locked out for 60 seconds. The source IP address is taken into account by the attempt counter.
The number of login attempts and the lockout period can be configured through the CLI.
To help improve the overall password security, the maximum number of attempts can be decreased
and the lockout timer can be increased using the following CLI commands:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 100
end
FortiGate Multi-Threat Security and Systems I

27

Module 2 Lab 1: Status Monitor and Event Log

Module 2
Lab 1: Status Monitor and Event Log
The aim of this lab is for students to work with the event log and monitoring on a FortiGate unit.

Objectives

Identify and properly enable logging of system events


Locate event logs for specific information

Time to Complete
Estimated: 10 minutes

FortiGate Multi-Threat Security and Systems I

28

Module 2 Lab 1: Status Monitor and Event Log

Exercise 1 Exploring the GUI Status Monitor


1. From the GUI of the Student FortiGate device, go to System > Dashboard > Status and locate the
System Resources widget.
2. Some widgets are not displayed on the dashboard by default. Click Widget to display the list of widgets
available to add to the dashboard.

If not already added, click the Sessions History widget from the pop-up window to add it to the
dashboard.
Close the widget list window.
3. Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom
widget.

Configure a custom widget with the following details:


Custom Widget Name:

System Resource History

View Type:

Historical

Time Period:

Last 60 minutes

A line chart appears in a new custom System Resource History widget showing a trace of past CPU
and memory usage.
FortiGate Multi-Threat Security and Systems I

29

Module 2 Lab 1: Status Monitor and Event Log

The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.
4. The Alert Message Console widget displays recent system events, such as system restart and firmware
upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to view the
entire message list.

Scroll to the bottom of the window and click Close.


5. Go to System > Dashboard and select Add Dashboard. Enter any name of your choice for the new
dashboard and select the single column display.
6. Next add the Top Sessions widget on your new dashboard. Click the edit icon in the title bar of the Top
Sessions widget and observe the different ways in which top sessions can be reported. For example,
by top Destination Address, top Applications etc. You can also select to display the top sessions by
Source and Destination interfaces. Create your own customized Top Sessions widget and examine the
sessions that are listed.
7. Test the functionality of the refresh, page forward, and page back icons in this window. You may need
to generate some additional traffic in order to properly test these functions.
8. Click Dashboard and select Reset Dashboards to re-display the default dashboard.

FortiGate Multi-Threat Security and Systems I

30

Module 2 Lab 1: Status Monitor and Event Log

Exercise 2 Event Log and Logging Options


1. From the Student FortiGate CLI, execute the following command to check the system status:
get system status
2. Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as Need
Format, enter the following command to format the drive.
execute formatlogdisk
When prompted to continue, type y and wait for the system to reboot.
Once the system has restarted, check the log disk settings by executing the following command:
config log disk setting
get
You should observe that the status is enabled.
3. Repeat the previous steps on the Remote FortiGate device.
4. Return to the Student FortGate device and log out of the GUI. When logging back in, use an incorrect
password once and then use the correct password to log back in again.
Go to Log & Report > Event Log > System and examine the log to find the invalid password event.
5. Go to Firewall Objects > Address > Address, and create a new firewall address using the following
settings:
fortinet
Name:
FQDN
Type:
www.fortinet.com
FQDN:
Leave the remaining settings at their defaults and click OK to save the changes.
6. Next go to Log & Report > Event Log > System and review the log entries.
7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.

FortiGate Multi-Threat Security and Systems I

31

Module 2 Lab 1: Status Monitor and Event Log

Click Apply to save the changes.


Different types of log entries fall into different categories. Only enable logging for the activity(s) that you
need to monitor. This avoids filling the logs with information you do not need, and consuming
unnecessary system resources.
8. Go to Firewall Objects > Address > Address and create another firewall address entry. Go to Log &
Report > Event Log > System and review the log entries again.
Note that the entries are no longer visible for this activity. With this option deselected in the Event
Logging settings, you will no longer see entries in the log for Admin users logging on/off or making
changes to the units configuration. Other types of log entries will still appear.
9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.

FortiGate Multi-Threat Security and Systems I

32

Module 2 Lab 2: Remote Monitoring

Lab 2: Remote Monitoring


The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate
units behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to
reduce resource usage. For example, while the GUI widgets provide useful displays of your system
information, they also carry a significant resource cost and should be used sparingly.

Objectives

Enabling monitoring from a syslog and SNMP device

Time to Complete
Estimated: 10 minutes

FortiGate Multi-Threat Security and Systems I

33

Module 2 Lab 2: Remote Monitoring

Exercise 1 Remote Syslog Logging and SNMP Monitoring


The Linux host in your student lab environment has been pre-configured for you to allow remote Syslog.
1. From the CLI on the student FortiGate device, enter the following commands to set up logging to the
syslog server:
conf log syslogd setting
set status enable
set facility local6
set server 10.200.1.254
end
2. Repeat the above step from the CLI on the remote FortiGate device.
3. From the virtual Windows Server desktop launch the putty.exe application and open an SSH session to
the Linux host (10.200.1.254).

Log in as root and with the password: password.


4. Run the following command to monitor the FortiGate syslog messages which are mapped to their
own file by the local6 facility.

FortiGate Multi-Threat Security and Systems I

34

Module 2 Lab 2: Remote Monitoring

tail f /var/log/fortinet
5. Leave the SSH window open and return to the student FortiGate device and generate some log entries
by doing the following:

Attempt to log in with invalid credentials


Make a minor configuration change

6. From the GUI on the Student FortiGate device, go System > Config > SNMP to enable SNMP
monitoring. Select Enable for the SNMP Agent then click Apply.
7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to
fortinet.

Click OK.
8. Go to System > Network > Interface and edit port1. Confirm that SNMP is enabled under the
Administrative Access settings. If it is not enabled you will need to enable it first then click OK to save
the changes.
9. Leave the SSH window open that is currently running the tail command and run putty again to open
a new SSH connection to the LINUX host (10.200.1.254).
Next, execute the following snmpwalk command to find and display all of the monitoring options that a
device presents through SNMP:
snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1
A tree listing of all the options available to monitor this FortiGate VM device will be displayed.
To make it easier to view the information available, you may also append >snmp.test to the command
entered above. This will save the output to a file named snmp.test. Enter the command view
snmp.test to view the output file.

FortiGate Multi-Threat Security and Systems I

35

Module 3 Lab 1: Firewall Policy

Module 3
Lab 1: Firewall Policy
The aim of this lab is for students to work with firewall policies and examine the FortiGate unit behavior
when policies are re-ordered.

Objectives

Describe the various actions that can be set in a firewall policy


Demonstrate policy order

Time to Complete
Estimated: 20 minutes

FortiGate Multi-Threat Security and Systems I

36

Module 3 Lab 1: Firewall Policy

Exercise 1 Creating Firewall Objects and Rules


1. From the Windows Server, you first will need to connect to the GUI on the Student FortiGate device
(10.0.1.254) and restore the following configuration file that is needed for this lab:
Resources\Module3\Student\student-policy.conf. The Student FortiGate device will reboot.
2. From the GUI on the Student FortiGate device, go to Firewall Objects > Address > Address and create
the following address object:
Name:

STUDENT_INTERNAL

Type:

Subnet

Subnet/IP Range:

10.0.1.0/255.255.255.0

Interface:

Any

Once the settings have been entered, click OK to save the changes.
3. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To do this, go
to Policy > Policy > Policy, right-click the unrestricted port3port1 policy and select Status > Disable.
4. Next click Create New to add a new firewall policy to provide general Internet access from the internal
network. Configure the following settings:
Firewall
Address
port3
STUDENT_INTERNAL
port1
all
always
HTTP, HTTPS, DNS, ALL_ICMP, SSH
(Hold down the CTRL-key to select multiple services.)
ACCEPT
Action:
Enabled
Enable NAT:
Use Destination Interface Address: Enabled
Enable Log all Sessions and select Generate Logs
Log Options:
when Session Starts
General Internet access
Comments:
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore, a
firewall policy only needs to be created for the direction of the originating traffic.
Policy Type:
Policy Subtype:
Incoming Interface:
Source Address:
Outgoing Interface:
Destination Address:
Schedule:
Service:

Once the policy settings have been entered, click OK to save the changes.
5. From the virtual Windows Server desktop, open a web browser and connect to various external web
servers.
6. From the CLI, enter the following command to see the source NAT action.
#get system session list
Sample Output:

FortiGate Multi-Threat Security and Systems I

37

Module 3 Lab 1: Firewall Policy

STUDENT # get sys session list


PROTO
EXPIRE SOURCE
DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3600

10.0.1.10:3677

10.0.1.254:22

tcp

3587

10.0.1.10:3717

10.200.1.1:64133 72.30.38.140:80

tcp

3570

10.0.1.10:3681

10.200.1.1:64097 69.171.228.70:80 -

tcp

3577

10.0.1.10:3710

10.200.1.1:64126 74.125.228.92:80 -

tcp

3587

10.0.1.10:3708

10.200.1.1:64124 74.125.228.92:80 -

tcp

3587

10.0.1.10:3706

10.200.1.1:64122 66.94.245.1:80

tcp

2274

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

tcp

3587

10.0.1.10:3712

10.200.1.1:64128 80.239.217.66:80 -

tcp

3566

10.0.1.10:3679

10.200.1.1:64095 74.125.227.24:80 -

Note that the new source address being applied is that of the destination interface port1(10.200.1.1).

FortiGate Multi-Threat Security and Systems I

38

Module 3 Lab 1: Firewall Policy

Exercise 2 Policy Action


1. Use the same steps you performed earlier to create a second firewall policy. Configure the following
settings:
Firewall
Address
port3
STUDENT_INTERNAL
port1
Click Create and configure the following:
Name: LINUX_ETH1
Type: Subnet
Subnet / IP Range: 10.200.1.254/255.255.255.255
Click OK.
always
Schedule:
PING
Service:
DENY
Action:
Enabled
Log Violation Traffic:
Once the policy settings have been entered click OK to save the changes.
Policy Type:
Policy Subtype:
Incoming Interface:
Source Address:
Outgoing Interface:
Destination Address:

2. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows.
ping t 10.200.1.254
Provided you have not changed the rule ordering, the ping should still work as it matches the ACCEPT
policy and not the DENY policy just created. This demonstrates the behavior of policy ordering. The
second policy was never checked because the traffic matched the first policy. Leave this window open
and perform the next step.
3. From the GUI on the Student FortiGate device, go to Policy > Policy > Policy and right-click any of the
column headings. Select Column Settings > ID. Move this column accordingly for easier viewing. By
default only the sequence number of the firewall policy is displayed in the GUI.
4. Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to position it
before the General Internet access policy.
5. Return to the Windows Server and examine the DOS command prompt window still running the
continuous ping. You should observe that this traffic is now blocked and the replies appear as
Request timed out. Enter CTRL-C to end the ping command.

FortiGate Multi-Threat Security and Systems I

39

Module 3 Lab 1: Firewall Policy

Exercise 3 Configuring Virtual IP Access


In this exercise, a virtual IP address will be configured to allow remote Internet connections to the
Windows Server located at 10.0.1.10.
1. Go to Firewall Objects > Virtual IP > Virtual IP and click Create New to add a new virtual IP mapping
with the following details:
VIP_WIN2K3
Name:
port1
External Interface:
Static NAT
Type:
10.200.1.200
External IP Address/Range:
10.0.1.10
Mapped IP Address/Range:
Once the virtual IP settings have been entered click OK to save the changes.
2. Next, create a new firewall policy to provide access to the web server. Configure the following settings:
Firewall
Address
port1
all
port3
VIP_WIN2K3
always
HTTP
ACCEPT
Enable Log all Sessions and select Generate Logs
when Session Starts
Disabled (default)
Enable NAT:
Public access to web server
Comments:
Once the policy settings have been entered click OK to save the changes.
Policy Type:
Policy Subtype:
Incoming Interface:
Source Address:
Outgoing Interface:
Destination Address:
Schedule:
Service:
Action:
Log Options:

3. The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or
are cleared. The sessions can be cleared individually from the session widget on the Status page or
from the CLI by executing the following:
diag sys session clear
4. Connect to the console of the remote Windows host. (From the virtual lab applet, go to Operations >
Connect to Secondary > WinXP to connect to the console of your WINXP host.)
On the WinXP desktop, open a web browser and access the following URL:
http://10.200.1.200
If the virtual IP operation is successful a simple web page appears displaying the message It
works!.
5. From the CLI on the Student FortiGate device, check the destination NAT entries in the session
table by using the following command:

FortiGate Multi-Threat Security and Systems I

40

Module 3 Lab 1: Firewall Policy

#get system session list


Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT
tcp

3537

10.200.3.1:62426

SOURCE-NAT

DESTINATION

10.200.1.200:80

10.0.1.10:80

6. On the virtual Windows Server desktop open a web browser and connect to a few external web sites.
Now examine the session information again as follows:
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT

SOURCE-NAT

tcp

3591

10.0.1.10:3995

10.200.1.200:3995 66.94.241.1:80

tcp

3590

10.0.1.10:3977

10.200.1.200:3977 72.30.38.140:80

tcp

3553

10.0.1.10:3965

10.200.1.200:3965 184.150.187.83:80 -

tcp

3592

10.0.1.10:3998

10.200.1.200:3998 74.125.228.92:80 -

tcp

3584

10.0.1.10:3969

10.200.1.200:3969 69.171.237.16:80 -

tcp

3596

10.0.1.10:4001

10.200.1.200:4001 208.91.113.80:80 -

tcp

3590

10.0.1.10:3983

10.200.1.200:3983 216.115.100.102:80 -

tcp

3590

10.0.1.10:3979

10.200.1.200:3979 216.115.100.103:80 -

tcp

3590

10.0.1.10:3987

10.200.1.200:3987 216.115.100.102:80 -

tcp

3590

10.0.1.10:3981

10.200.1.200:3981 216.115.100.103:80 -

tcp

3590

10.0.1.10:3985

10.200.1.200:3985 216.115.100.102:80 -

tcp

1013

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

tcp

3589

10.0.1.10:3976

10.200.1.200:3976 72.30.38.140:80

tcp

3591

10.0.1.10:3996

10.200.1.200:3996 184.150.187.99:80 -

tcp

3554

10.0.1.10:3967

10.200.1.200:3967 74.125.228.65:80 -

tcp

3590

10.0.1.10:3990

10.200.1.200:3990 216.115.100.103:80 -

FortiGate Multi-Threat Security and Systems I

DESTINATION

41

Module 3 Lab 1: Firewall Policy

tcp

3591

10.0.1.10:3978

10.200.1.200:3978 216.115.100.103:80 -

tcp

3590

10.0.1.10:3980

10.200.1.200:3980 216.115.100.103:80 -

Note that the outgoing connections from the Windows Server are now being NATed with the VIP
address as opposed to the firewall address. This is a behavior of the static NAT (SNAT) VIP. That is,
when SNAT is enabled on a policy, a VIP static NAT takes priority over the destination interface IP
address.

FortiGate Multi-Threat Security and Systems I

42

Module 3 Lab 1: Firewall Policy

Exercise 4 Configuring IP Pools


Currently, all traffic generated from the Windows Server through the Student FortiGate device has a
translated source IP address of 10.200.1.200 because of the static NAT translation in the VIP.
In this exercise, an IP address pool will be applied to a new rule which will override this behavior.
1. From the GUI on the Student FortiGate device, go to Firewall Objects > Virtual IP > IP Pool and create
a new IP pool using the following settings:
WIN2K3_EXT_IP
Name:
10.200.1.100
External IP Range/Subnet:
Once the policy settings have been entered click OK to save the changes.
2. Go to Policy > Policy > Policy, and right-click the outgoing General Internet access policy. Select Copy
Policy then right-click the same policy again and select Paste > Above.
3. Select the new copy of the General Internet access policy and configure the following settings:
Firewall
Address
port3
WIN2K3
port1
all
always
ALL
ACCEPT
Enable Log all Sessions and select Generate Logs
when Session Starts
Enabled
Enable NAT:
WIN2K3_EXT_IP
Use Dynamic IP Pool:
Windows Server source NAT override
Comments:
Once the Policy settings have been entered click OK to save the changes and verify that you have
enabled it.
Policy Type:
Policy Subtype:
Incoming Interface:
Source Address:
Outgoing Interface:
Destination Address:
Schedule:
Service:
Action:
Log Options:

4. The firewall does stateful inspection so any existing sessions will not use this new firewall policy until
they time out or are cleared. The sessions can be cleared individually from the session widget on the
status page or from the CLI by executing the following:
diag sys session clear
5. Connect to a few external web sites and then examine the session table to check the source NAT
used. From the CLI on the Student FortiGate device enter the following command to verify the
source NAT IP address:
# get system session list
Sample Output:
STUDENT # get system session list

FortiGate Multi-Threat Security and Systems I

43

Module 3 Lab 1: Firewall Policy

PROTO
EXPIRE SOURCE
DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3599

10.0.1.10:3963

10.200.1.100:64379 74.125.225.126:443 -

tcp

3599

10.0.1.10:3961

10.200.1.100:64377 74.125.225.111:443 -

tcp

3552

10.0.1.10:3953

10.200.1.100:64369 76.74.133.167:80 -

tcp

3597

10.0.1.10:3956

10.200.1.100:64372 74.125.225.118:80 -

tcp

3597

10.0.1.10:3954

10.200.1.100:64370 74.125.225.117:80 -

tcp

3598

10.0.1.10:3959

10.200.1.100:64375 199.7.57.72:80

tcp

16

10.0.1.10:3948

10.200.1.100:64364 66.36.238.121:22 -

tcp

3598

10.0.1.10:3958

10.200.1.100:64374 209.85.225.84:443 -

tcp

3599

10.0.1.10:3962

10.200.1.100:64378 74.125.225.99:443 -

tcp

10.0.1.10:3960

10.200.1.100:64376 98.139.200.238:80 -

tcp

3597

10.0.1.10:3955

10.200.1.100:64371 74.125.225.118:80 -

Observe that the source NAT address is now 10.200.1.100 as configured in the VIP pool, therefore
the order of precedence is IP Pool > Static-NAT VIP > Destination Interface.

FortiGate Multi-Threat Security and Systems I

44

Module 3 Lab 2: Traffic Log

Lab 2: Traffic Log


The aim of this lab is to read traffic logs and become familiar with its contents.

Objectives

Demonstrate how to enable traffic logging


Read and understand traffic log entries

Time to Complete
Estimated: 5 minutes

FortiGate Multi-Threat Security and Systems I

45

Module 3 Lab 2: Traffic Log

Exercise 1 Enabling Traffic Logging


1. Go to Policy > Policy > Policy and click the Seq.# of the DENY policy that you created previously. Drag
this policy to position it BEFORE the Window Server Source NAT Override policy.
2. Edit the DENY policy and verify that Log Violation Traffic is enabled.
3. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows.
ping t 10.200.1.254
Provided you have positioned the rule correctly this traffic should be blocked, and timeout.
4. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic to
examine the log entries. You should observe violation traffic entries. These entries appear with red X
symbols under the column Security Action.
5. Edit the DENY policy. Change the Action setting to ACCEPT, and enable NAT by selecting the Enable
NAT checkbox. Once these policy settings have been entered click OK to save the changes.
From the Windows Server, you should observe that the ping now succeeds.
6. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic.
The log entries will no longer show violation traffic, but summaries of the ping traffic that passed.

FortiGate Multi-Threat Security and Systems I

46

Module 3 Lab 3: Device Policies

Lab 3: Device Policies


In this exercise you will create a Firewall policy that uses email captive portal. Once the device is learned,
give access by the device to a test web server.

Objectives

Demonstrate how to enable Device Identification


Configure Device Identification policies

Time to Complete
Estimated: 10 minutes

FortiGate Multi-Threat Security and Systems I

47

Module 3 Lab 3: Device Policies

Exercise 1 Enabling Device Identification


1. From the virtual Windows Server host, you first will need to connect to the Student FortiGate device and
restore the configuration file needed for this exercise.
Restore the following configuration file: Resources\Delta\delta-student-initial.conf.
2. Edit the outgoing port3 to port2 firewall policy using the following settings:
Policy Type:
Policy Subtype:
Incoming Interface:
Source Address:
Outgoing Interface:
Enable NAT:

Firewall
Device Identity
port3
STUDENT_INTERNAL
port2
Enabled. Select Use Destination Interface Address

3. Next click Create New under Configure Authentication Rules and create the following sub-policies:
Sub-policy 1:
Destination Address:
Device:
Schedule:
Service:
Action:
Click OK.

all
Windows PC
always
HTTP
Accept

Sub-policy 2:
Destination Address:
Device:
Schedule:
Service:
Action:

all
Collected Emails
always
HTTP, HTTPS, ALL_ICMP, SSH, SMTP, POP3, FTP
(Hold down the CTRL-key to select multiple services.)
ACCEPT

Click OK.
4. Under Device Policy Options enable Prompt E-mail Collection Portal for all devices as follows:

Once you have configured all the above policy settings, click OK to save the changes.

FortiGate Multi-Threat Security and Systems I

48

Module 3 Lab 3: Device Policies

5. Use drag-and-drop to reorder the sub-policies. The captive portal policy should be last in the sub-policy
list because this rule should only be matched if the device has not already been identified.
In this example, the first web traffic from the client matches the email captive portal rule. The
subsequent traffic matches the collected email device object as we now have this information.
6. Check the device policy and sub-policies.

Click OK.
7. Test the device policy on the Student FortiGate device. First execute the following CLI commands to
disable the email DNS check for the captive portal. (This step is required for the purposes of this lab.)
config system settings
set email-portal-check-dns disable
end
8. From your web browser, connect to: http://10.200.1.254
The portal should appear. Accept the conditions and enter your email address when prompted.
FortiGate should now redirect you to the web site.
9. From the CLI, use debug flow to examine the traffic:
diag debug flow filter addr 10.200.1.254
diag debug flow show func en
diag debug flow show cons en
diag debug enable
diag debug flow trace start 20
10. Go to User & Device > Device > Device Definition and check the new device.
This is a dynamic device. FortiGate may update and stored its list of devices to the flash to speed up
FortiGate Multi-Threat Security and Systems I

49

Module 3 Lab 3: Device Policies

detection.
diag user device list
11. Clear the device from the CLI:
diag user device clear
12. Reload the web page. You should observe that you are redirected to the email portal again. Accept the
conditions and enter your email address.
13. Perform a show from the CLI to confirm there are no devices in the configuration file.
show user device
14. From the GUI, go to User & Device > Device > Device Definition and edit your device from the device
list. Add an alias called myDevice. This creates a static device in the configuration file.
Once you have the alias entered, click OK to save the change.
Perform the following show command to confirm that the device now appears in the configuration file.
show user device
15. Go to User & Device > Device > Device Group. Note that your device is already a member of several
predefined device groups.
Click Create New and add a new device group called myDevGroup.
Next, add myDevice to the Members list and click OK.
Note that your device is still a member of the predefined groups and is now a member of the custom
group myDevGroup.
16. From a command prompt on the virtual Windows host, open an FTP connection to: 10.200.1.254
Once you have connected, close the FTP connection.
17. Now add a sub-policy to your firewall device policy blocking FTP.
Edit the device policy and create the following sub-policy:
Sub-policy 3:
Destination:
Device:
Schedule:
Service:
Action:
Log Violation Traffic:

LINUX_ETH1
myDevGroup
always
FTP
Deny
Enable

Click OK.
18. Use drag-and-drop to reorder the sub-policies so that this policy is first in the list.
19. From your PC test that you can open an FTP connection to ftp://10.200.1.254

FortiGate Multi-Threat Security and Systems I

50

Module 3 Lab 3: Device Policies

You should observe that the connection now fails to establish.


View the traffic logs and find the deny entry.

FortiGate Multi-Threat Security and Systems I

51

Module 4 Lab 1: User Authentication

Module 4
Lab 1: User Authentication
The aim of this lab is to introduce students to user authentication management on the FortiGate unit.

Objectives

Create an identity-based policy


Manage user authentication

Time to Complete
Estimated: 20 minutes

FortiGate Multi-Threat Security and Systems I

52

Module 4 Lab 1: User Authentication

Exercise 1 Identity-based Firewall Policy


1. From the Windows Server, you first will need to connect to the student FortiGate device and restore the
configuration file that is needed for this lab.
2. Connect to the GUI on the student FortiGate device (10.0.1.254) and restore the following configuration
file: Resources\Module4\Student\student-auth.conf.
The Student FortiGate device will reboot.
3. When the device has rebooted review the user configuration for this lab.
Go to User & Device > User > User Definition to review the local user settings
Go to User & Device > User Group > User to review the user group configuration.
4. On the virtual Windows Server desktop, open a web browser and connect to a new web site.
At the login prompt, enter the following credentials:
student
Username:
F0rtinet
Password:
You should observe that after successful authentication, you are redirected to your destination web site.
5. From the GUI on the student FortiGate, go to Policy > Policy > Policy and review the outgoing port3
port1 firewall policy with authentication configured.
6. Next, open a putty.exe session and try to ping or connect via SSH to 10.200.1.254. You should
observe that using either of these tests will fail.
Even though there is an accept rule for this traffic, it is not being allowed. This highlights an important
behavior of identity policies. The service becomes a permission and not a selector, therefore, in our
example the identity policy matches all outgoing traffic regardless of service. The service is then
allowed if it is set for the user.
Since the Authentication policy matches the source IP and SSH is not an allowed service, the FortiGate
will not look for another matching firewall policy. A policy has already been found and the traffic is not
allowed through it.
There are two ways that you can use to correct this. You can either add ALL_ICMP and SSH to the
identify policy rule for the training user group, or move the regular policy before the identity policy.
Using either one of these options, make your configuration change and retest using ping or by
connecting through SSH. If using SSH, log in as root with the password: password.
7. Go to User & Device > Monitor > Firewall to view the details of the authenticated user along with the
policy used to authenticate this user.
8. Next go to Log & Report > Event Log > User and locate the log messages for the firewall policy
authentication events. The details for the entry are displayed in the lower pane of the Event Log
window.
Notice that the users name student is now included in the log messages.
FortiGate Multi-Threat Security and Systems I

53

Module 4 Lab 1: User Authentication

9. From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate
unit with the following command:
diag firewall auth list
Clear all authenticated sessions with the following command:
diag firewall auth clear
Caution: Be careful using this command on a live FortiGate as it will clear
ALL authenticated users.

FortiGate Multi-Threat Security and Systems I

54

Module 5 Lab 1: SSL VPN

Module 5
Lab 1: SSL VPN
The aim of this lab is for students to work with and manage user groups and portals for the SSL VPN.

Objectives

Configure and connect to an SSL VPN


Enable various authentication security options

Time to Complete
Estimated: 30 minutes

FortiGate Multi-Threat Security and Systems I

55

Module 5 Lab 1: SSL VPN

Exercise 1 Configuring SSL VPN for Web Access


1. From the Windows Server, connect to the GUI on the student FortiGate device (10.0.1.254) and restore
the following configuration file: Resources\Module5\Student\student-ssl.conf.
The FortiGate will reboot.
2. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy >
Policy > Policy and examine the port1port3 policy for SSL VPN. Note from the policy list that this
policy has a sub-policy.
Edit this policy to view its components. The settings are configured as follows:
VPN
Policy Type:
SSL-VPN
Policy Subtype:
port1
Incoming Interface:
all
Remote Address:
port3
Local Interface:
WIN2K3
Local Protected Subnet:
Disabled
SSL Client Certificate Restrictive:
The policy is incoming, that is from the external network to the internal network.
The policy subtype is SSL VPN which indicates further processing besides only accepting the traffic.
Under Configure SSL-VPN Authentication Rules, edit the first rule to view its contents. Notice that this
allows users in the training group to access the web-access SSL-VPN portal.

FortiGate Multi-Threat Security and Systems I

56

Module 5 Lab 1: SSL VPN

You will notice that this rule contains many settings including Groups(s), User(s), Schedule, Service
and SSL-VPN Portal. Select Cancel to close the edit window for this sub-policy.
In an upcoming exercise, we will be adding on to this policy to allow tunnel access.
3. To observe the effect of this policy you will now access the SSL VPN. On the virtual external Windows
XP host desktop, open a web browser and access the SSL VPN by browsing to the following URL:
https://10.200.1.1.
Accept the security warnings for the self-signed certificate and log in using the following credentials:
student
Username:
F0rtinet
Password:
You should notice that you are successfully able to log in however, the web portal is currently in
default settings. We will now configure the web-access portal which is selected in the SSL VPN
policy. Log out and return to the virtual Windows Server host.
4. Go to VPN > SSL > Portal and from the drop-down list displayed in the top right hand corner, select
web-access to edit this portal. Verify that Include Bookmarks is selected and then in the table
shown, create the following bookmarks for the internal server.
Bookmark for HTTP:
Category:
Name:

Test
HTTP/HTTPS

FortiGate Multi-Threat Security and Systems I

57

Module 5 Lab 1: SSL VPN

Type:
Location:
Click OK.

HTTP/HTTPS
10.0.1.10

Bookmark for RDP:


Category:
Name:
Type:
Location:
Click OK.

Test
RDP
RDP
10.0.1.10

Modify the Portal Message with a message of your choice then click Apply to save all the changes.
Select View Portal to review your changes.
5. Test the SSL VPN access again from the external Windows host (WINXP) by browsing to:
https://10.200.1.1
You should now observe that you have two book marks listed.
6. Select the HTTP/HTTPS bookmark and examine the items listed below to understand how the web
access functions.
Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.0.1.10/
The first part of the address is the encrypted link to the FortiGate SSL
VPN gateway: https://10.200.1.1/
The second part of the address is the instruction to use the SSL VPN
HTTP proxy: .../proxy/http...
The final part of the address is the destination of the connection from
the HTTP proxy: .../10.0.1.10/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final
destination from the HTTP proxy is in clear text.
7. Return to the virtual Windows Server device and from the GUI on the Student FortiGate device, go
to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection.
Note the User, Source IP and Begin Time.
8. Go to Log & Report > Event Log > VPN and view the corresponding log entry. Look for the SSL
tunnel established message.
9. From the external Windows XP host, log out of the SSL VPN connection. Return to the log and look
for the SSL tunnel shutdown message.

FortiGate Multi-Threat Security and Systems I

58

Module 5 Lab 1: SSL VPN

Exercise 2 Configuring SSL VPN for Tunnel Mode


In this exercise you will edit the current SSL policy adding a new sub-rule for a second user configured for
tunnel mode.
1. Edit the SSL VPN policy and under Configure SSL-VPN Authentication Rules, create a new sub-policy
for a full-access portal using the following settings:
Group(s):

training

Schedule:

always

SSL-VPN Portal:

full-access

After adding the sub-policy, click OK to save the changes.


2. To observe the effect of this sub-policy you will now access the SSL VPN again. From the virtual
external Windows XP host desktop, open a web browser and access the SSL VPN by browsing to the
following URL:
https://10.200.1.1
When prompted, log in to the SSL VPN using the following credentials:
Username:
Password:
3. What do you see when you login?

student
F0rtinet

You should see the same portal as in the previous exercise. Why?
The training user group is associated with both sub-policies therefore the first one matching the webaccess portal is applied.
You could move the rule so that the rule for the full-access portal is first in the list however, this will end
up affecting all users in that group. Instead, edit the sub-rule created in step 1 above and set the user
group to training2.
Click OK to save the rule settings, then click OK again to save the policy changes.
4. In the web browser on the virtual remote Windows XP host, connect to the SSL VPN portal once again
using the URL: https://10.200.1.1. Note that you may need to clear the web browsers cache if the
login window is not displayed.
This time, log in to the SSL VPN using the following credentials:
student2
Username:
F0rtinet2
Password:
You should now observe that the portal established is the full-access portal.
Note: If using the SSL VPN client available with FortiClient, you do not
need to log in via the portal.

FortiGate Multi-Threat Security and Systems I

59

Module 5 Lab 1: SSL VPN

5. In the Tunnel Mode panel, click Connect. You should see a link status of UP and the bytes sent and
received incrementing.
6. On the virtual remote Windows host, open a DOS command prompt and perform the following:
ipconfig
Note down your assigned IP address for reference.
Note that the fortissl adapter has an IP address. Where does this IP address come from? Display
the routing information by entering the following command:
route print
Note the low metric routes and observe that there is a route to 10.0.1.10. Where did this come from?
Run a continuous ping to 10.0.1.10 as follows.
ping t 10.0.1.10
7. From the GUI on the Student FortiGate device go to VPN > Monitor > SSL-VPN Monitor. The SSLVPN Monitor displays the client connections and the IP allocated to the tunnel connection.
8. In the firewall policy list, examine the Count field to see the packets and bytes per policy. You may
need to reposition this column accordingly for easier viewing.
Notice that there is traffic associated with the incoming rule from the ssl.<vdom name> interface. This
rule is created automatically. This traffic is the incoming traffic from your SSL VPN client.
Where does your assigned address come from?
9. Go VPN > SSL > Portal to access the SSL VPN portal configuration. Edit the full-access portal.
Within the Enable Tunnel Mode options, note the IP Pool used which refers to a firewall address object.
10. Go to Firewall Objects to look up that firewall address object. What are the values of that object?
The object defines an address range that matches your assigned address, so this is how IP addresses
are configured and assigned to SSL VPN clients.
Where does the route to 10.0.1.10 come from?
HINT: In the policy list, look at the Destination address of the SSL VPN policy.
You will observe that the address object values for WIN2K3 are 10.0.1.10/32, so this is where
the SSL VPN client route came from.
With this present configuration, the SSL VPN client is split tunneling. This means that only traffic to
the specific destination behind the firewall is tunneled, and all other traffic goes to the default
gateway.
What configuration change would you need to make to give the client a default route into the tunnel?
Disable split tunneling in the full-access portal which means a default route is pushed to the client
FortiGate Multi-Threat Security and Systems I

60

Module 5 Lab 1: SSL VPN

forcing all traffic into the tunnel.

FortiGate Multi-Threat Security and Systems I

61

Module 6 Lab 1: IPSec VPN

Module 6
Lab 1: IPSec VPN
The aim of this lab is for students to configure an IPSec VPN on the FortiGate device using both interfacebased and policy-based modes.

Objectives

Configure and implement interface and policy-based IPSec VPNs


Demonstrate the differences between interface and policy-based VPNs
Explain IPSec VPN configuration options

Time to Complete
Estimated: 30 minutes

FortiGate Multi-Threat Security and Systems I

62

Module 6 Lab 1: IPSec VPN

Exercise 1 Site to Site IPsec VPN


1. From the Windows Server, you first will need to connect to the Student and Remote FortiGate devices
and restore the configuration files that are needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following
configuration file: Resources\Module6\Student\student-ipsec.conf.
The Student FortiGate device will reboot.
2. Connect to the GUI on the Remote FortiGate device (10.200.3.1) and restore the following
configuration file: Resources\Module6\Remote\remote-ipsec.conf.
The Remote FortiGate device will reboot.
3. When the Student FortiGate device has rebooted, open a DOS command prompt from the virtual
Windows Server and run a continuous ping to the remote Windows XP host as follows:
ping

-t 10.0.2.10

4. From the GUI on the Student FortiGate device, go to VPN > Monitor > IPsec Monitor and examine the
tunnel status.
You should observe a tunnel named remote with the destination 10.200.3.1 and the status is
currently up. This is the tunnel that is established to the Remote FortiGate device.
5. From the Student FortiGate device review the firewall policy port3remote. View the Count column so
that you can see the packets and bytes per policy.
Observe that the counter is incrementing for the port3remote policy.
What is the interface remote?
Go to System > Network > Interface and note the blue arrow head associated with port1. If you expand
this you will be able to see the remote interface and the type for this interface which is set to Tunnel
Interface.
6. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase
2 IKE objects.
Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec Interface
Mode is selected.
These settings can also be viewed through the CLI as follows:
conf vpn ipsec phase1-interface
show
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy. How
is the traffic getting to this policy?

FortiGate Multi-Threat Security and Systems I

63

Module 6 Lab 1: IPSec VPN

Traffic arrives at the FortiGate unit on the ingress interface. For new connections, a routing lookup is
performed to select the egress interface and gateway, and then there is a lookup in the firewall policy to
find a matching rule. It is the routing lookup that selects the egress, and therefore, the remote interface
is selected in this case. So a route is driving the traffic to the IPsec interface.
7. Go to Router > Monitor and view the current routing table. You will observe a static route to the
destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy base VPN which
we will review next.
Generally, the route-based VPN is the preferred approach however there are a few exceptions where
you would need to use the policy-based VPN. These will be discussed later.
8. Open a web browser on the Windows Server and connect to the GUI on the Remote FortiGate device.
9. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate device.
You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up.
This is the tunnel that is established to the Student FortiGate device.
10. Still on the Remote FortiGate device, go to System > Network > Interface and note there is no tunnel
sub-interface for port4.
11. Go to Route > Monitor and view the current routing table. You will observe that there is no route to the
10.0.2.0/24 destination, there is only a default route.
How is the traffic entering the tunnel then?
12. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from
port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24
(STUDENT INTERNAL) with action IPsec.
Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to
allow traffic inbound as well as outbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate device, a static route was sending traffic to the IPSec interface. Here there is
no static route and the traffic is being sent to the tunnel using the policy subtype setting, hence policybased.
The IPSec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel
student.
13. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPSec
configuration. Note the Phase 1 and Phase 2 IKE objects.
These settings can also be viewed through the CLI:
conf vpn ipsec phase1-interface

FortiGate Multi-Threat Security and Systems I

64

Module 6 Lab 1: IPSec VPN

conf vpn ipsec phase2-interface


14. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that IPSec
Interface Mode is not selected.
The Phase1 IKE object is the IPSec tunnel referenced in the IPSec firewall policy. Here we are using
policy-based on the Remote FortiGate device and interface-based on the Student FortiGate device.
The type we use is of local significance therefore we can mix them, as is the case in this example.
15. From the remote Windows XP host, attempt to run a continuous ping to: 10.0.1.10.
You should observe this ping fails. Can you Identify why?
If the VPN is in Tunnel mode then only a single Firewall policy is used in order to allow and regulate
incoming and outgoing traffic. However if the policy is in Interface mode then a VPN Firewall policy is
separately needed to allow inbound and outbound communication.
In the Student FortiGate device we have only configured the outgoing policy and the VPN is in Interface
mode. This is why the new incoming connection is dropped, there is no firewall policy to allow it.
16. Return to the Student FortiGate device and add the missing firewall policy.
You should observe the ping now succeeds.

FortiGate Multi-Threat Security and Systems I

65

Module 7 Lab 1: Antivirus Scanning

Module 7
Lab 1: Antivirus Scanning
The aim of this lab is to work with both flow-based and proxy-based Antivirus scanning.

Objectives

Configure flow-based and proxy-based antivirus scanning


Test FortiGate antivirus scanning behavior

Time to Complete
Estimated: 30 minutes

FortiGate Multi-Threat Security and Systems I

66

Module 7 Lab 1: Antivirus Scanning

Exercise 1 Antivirus Testing


1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the
configuration file that is needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration
file: Resources\Module7\Student\student-utm.conf.
The Student FortiGate device will reboot.
2. When the FortiGate device has rebooted go to Security Profiles > AntiVirus > Profile and configure the
default profile as follows to enable AV scanning on HTTP:
Proxy
Inspection Mode:
Select HTTP and deselect all other settings
Virus Scan and Removal:
Once the inspection settings have been entered click Apply to save the changes.
3. Go to Policy > Policy > Policy and edit the port3port1 policy. Turn ON AntiVirus and ensure that the
default antivirus profile is selected.
Once the profile is enabled on the policy click OK to apply the changes.
4. Next go to Policy > Policy > Proxy Options and examine the default proxy options that are shown.
These settings determine how FortiOS handles each protocol. For example, which port numbers to use,
whether to use client comforting, block oversized emails and so on.
5. Go to System > Config > Replacement Message. From the top right-hand corner select Extended View
and under Security modify the Virus Block Page.
The HTML editor that is displayed allows you to see the changes as you are making them. If you do
not wish to use the standard block pages they can be edited and modified as the situation requires.
Click Save shown above the editor window to apply any changes.
6. From the virtual Windows Server host, launch a web browser and access the following web site:
http://eicar.org
7. On the Eicar web page, click Download ANTI MALWARE TESTFILE (located in the top right-hand
corner of the page) and then click the Download link that appears on the left.
Download the any of the eicar sample files from the section Download area using the standard
HTTP protocol.
The download attempt will be blocked by the FortiGate unit and a replacement message will be
displayed similar to the following (should also include any customization you made earlier):

FortiGate Multi-Threat Security and Systems I

67

Module 7 Lab 1: Antivirus Scanning

The EICAR file is an industry-standard used to test antivirus detection. The file contains the following
characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
8. The HTTP virus message is shown when infected files are blocked or have been quarantined. In the
message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the
detected virus.
9. From the GUI on Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and
locate the antivirus event messages.
In order to view summary information of the AV activity, add the Advanced Threat Protection Statistics
widget to the Dashboard.
10. On the Eicar web page, click Download ANTI MALWARE TESTFILE and then click the Download link
that appears on the left. This time, select the eicar.com file from the Download area using the secure
SSL enabled protocol HTTPS section.
The download should be successful because we have not enabled SSL inspection.
11. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy > Policy >
SSL/SSH Inspection and under SSL Inspection Options, ensure the protocol HTTPS on port 443 is
enabled.
Click Apply.
12. Next, go to Policy > Policy > Policy and edit the policy: port3port1. Under Security Profiles enable
SSL/SSH Inspection by setting this to ON. Click OK.
13. To ensure that there are no existing sessions prior to deep scanning the communication exchange,
connect to the CLI of the Student FortiGate unit and enter the following command:
diag sys session filter dport 443
diag sys session clear
14. Return to the Eicar web page and attempt to download the eicar.com file from the Download area
using the secure SSL enabled protocol HTTPS section.
This time, the download will be blocked by the FortiGate unit and the replacement message will be
displayed. If this is not the case, you may need to clear your recent browsing history as the object
may be cached. In Firefox select History > Clear Recent History > Everything.

FortiGate Multi-Threat Security and Systems I

68

Module 7 Lab 1: Antivirus Scanning

15. Go to Security Profiles > Antivirus > Profile and change the Inspection Mode for the default Antivirus
Profile to Flow-based. Click Apply.
Try downloading the eicar.com file again. What happens now when the virus is detected?

FortiGate Multi-Threat Security and Systems I

69

Module 8 Lab 1: Email Filtering

Module 8
Lab 1: Email Filtering
The aim of this lab is for students to work with email filtering.

Objectives

Enable and use email filtering on a FortiGate unit


Modify inspection rules to black or white list emails (using banned word, IP, email etc.)
Read and interpret email log entries

Time to Complete
Estimated: 30 minutes

FortiGate Multi-Threat Security and Systems I

70

Module 8 Lab 1: Email Filtering

Exercise 1 Configuring FortiGuard AntiSpam


1. From the Windows Server, connect to the GUI on the student FortiGate device (10.0.1.254) and
restore the following configuration file: Resources\ Module7\Student\student-utm.conf.
The FortiGate will reboot.
2. Once the FortiGate has rebooted, go to System > Config > Features. Under Security Features turn ON
Email Filtering. This step is required to enable the Email filtering feature on the FortiGate device. By
default, this is a hidden security feature. Click Apply to save the changes.
3. Next, go to Security Profiles > Email Filter > Profile and edit the default email filtering profile. Select
Enable Spam Detection and Filtering to enable it then click Apply. Configure the following settings:
Tagged
Enable IP Address Check
Enable URL Check
Once the changes to the email profile have been entered, click Apply to save the changes.

SMTP Spam Action:


FortiGuard Spam Filtering:

4. By default FortiGuard services are enabled. Go to System > Config > FortiGuard and check the status
of the service. (If you are using the hosted virtual lab environment you will need to change the service
port to UDP 8888).
5. Go to Policy > Policy > Policy and edit the port3port1 outgoing policy. Under Security Profiles, turn
ON Email Filter and ensure that the default email filter profile is selected.
In the steps that follow, you will generate and send test spam emails to your Microsoft Outlook
user@internal.lab inbox. In the classroom lab environment, you will initiate the spam generation using
a script called smtpmboxgen.pl which is provided in the Resources\Module8 folder. Details for using
this script will be provided in the steps that follow.
6. From the Windows server, open a command prompt and change directory to the C:\Documents and
Settings\Administrator\Desktop\Resources\Module8 folder as follows:
CD C:\Documents and Settings\Administrator\Desktop\Resources\Module8
Next run the spam script by entering the following:
smtpmboxgen.pl
7. From your Microsoft Outlook mail client, check the email inbox to review the tagged spam. To view the
corresponding logging events, go to Log & Report > Traffic Log > Forward Log.
8. From the CLI on the Student FortiGate device, execute the following commands to enable Banned
Word Check in the default email filter profile:
config spamfilter profile
edit "default"
set spam-filtering enable
set options bannedword spamfsip spamfsurl

FortiGate Multi-Threat Security and Systems I

71

Module 8 Lab 1: Email Filtering

set spam-bword-table 1
end
9. Next, run the commands below to review the banned words that have already been configured for you
in the configuration file being used for this lab.
config spam bword
show
Notice the use of both regular expression and wild cards in that list.
10. Go to Security Profiles > Email Filter > Profile again and this time modify the default email filtering
profile to set the SMTP Spam Action to Discard.
11. From your Microsoft Outlook mail client, generate a message to: test@gmail.com that will be caught by
the banned words that have been configured. For example, add the word training to the subject or
message body of your test email and attempt to send the message.
When you send the email the following message displays indicating the message was blocked:

Remember that some banned words apply only to the subject line, others apply only to the body and
others apply to both.
A banned word is only scored once, for example if a banned word has a score 10 and yet the word
occurs four times in the message body, it will only still be assigned a count of 10.
12. Go to Log & Report > Security Log > Email Filter and check the email filtering log entries for this
event as well. To make it easier to view all email activity, add the column Dst Port and filter on port
25.
FortiGate Multi-Threat Security and Systems I

72

Module 9 Lab 1: Web Filtering

Module 9
Lab 1: Web Filtering
The aim of this lab is for students to configure web filtering to block specific categories of web content. The
interaction of local categories and overrides will also be demonstrated.

Lab Objectives

Enable and use web filtering on a FortiGate device


Select the most effective method for blocking or allowing a web site
Read and interpret web filter log entries

Time to Complete
Estimated: 30 minutes

FortiGate Multi-Threat Security and Systems I

73

Module 9 Lab 1: Web Filtering

Exercise 1 FortiGuard Web Filtering


1. From the Windows Server, you will first need to connect to the Student FortiGate device and restore the
configuration file that is needed for this lab. This module uses the same config as in Module 7.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration
file: Resources\ Module7\Student\student-utm.conf.
The Student FortiGate device will reboot.
2. When the FortiGate device has rebooted go to System > Status and under License information check
the FortiGuard Services Web Filtering status to ensure that the license has been validated. A green
check mark should be displayed.
3. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter > Profile and review the
settings of the default web filter profile.
4. Verify that the Inspection Mode is set to Proxy and enable FortiGuard Categories.
Under FortiGuard Categories right-click the web category Potentially Liable and select the action:
Authenticate.
Next, set Selected User Groups to the training user group and accept the default Warning Interval value
of 5 minutes.
Click OK to save the settings.
5. Repeat the above step for the following web categories:

Adult/Mature Content
Security Risk
Click OK to save the settings.

6. Next right-click the web category Bandwidth Consuming, and select Warning. Accept the default
Warning Interval value of 5 minutes then click OK to save the settings.
7. Repeat the above step for the web category: Unrated.
Right-click the web category General Interest Business and select Block.
Click Apply to save your changes.
8. Go to Policy > Policy > Policy and edit the outing port3port1 policy. Under Security Profiles, turn
on Web Filter and ensure that the default profile is selected.
Next, turn ON SSL/SSH Inspection under Proxy Options and ensure the default profile is selected.
Click OK to save the policy changes.
9. From the CLI on the Student FortiGate device, check the low-level status information of the web
filtering service by entering the following command:
diag debug rating

FortiGate Multi-Threat Security and Systems I

74

Module 9 Lab 1: Web Filtering

The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate
unit is using to send requests. Rating requests are only sent to the server on the top of the list in normal
operation. Each server is probed for RTT every 2 minutes.
The diag debug rating flags indicate the server status as explained below:

D indicates the server was found via the DNS lookup of the hostname. If the hostname
returns more than one IP address, all of them will be flagged with 'D' and will be used first for
INIT requests before falling back to the other servers.
I indicates the server to which the last INIT request was sent.
F signifies the server has not responded to requests and is considered to have failed.
T signifies server is currently being timed.

10. From a web browser on the virtual Windows Server, connect to a web site that is usually blocked by the
training policy and verify that the blocked message is displayed.
A FortiGuard replacement message should be displayed.
11. Go to System > Config > Replacement Message and under Security select FortiGuard Block Page and
change the text of the block message to customize it. Click Save located in the upper-right hand corner
of the edit pane to apply your changes.
12. Revisit the same web site and ensure that the customized FortiGuard Block Page Blocked message is
displayed.
You may need to clear your browsers cache or refresh the block page as the browser might take the
information from its local cache.
13. Next, in the web browser, attempt to connect to a web site category with an Authenticate action. For
example:
A Web Page Blocked message is displayed again, this time with a Proceed button.

FortiGate Multi-Threat Security and Systems I

75

Module 9 Lab 1: Web Filtering

14. Click Proceed to view the Web Filter Block Override page. Enter the username student and the
password F0rtinet and click Continue.
The web page should now be displayed.
15. From the GUI on the Student FortiGate device, go Log & Report > Traffic Log > Forward Traffic and
locate the log messages related to the web filtering activity.
In the following step, you will configure an access quota for a couple of categories. Quotas allow
access to web resources for a specified length of time.
16. Go to Security Profiles > Web Filter > Profile and edit the default web filter profile.
17. Expand Quota on Categories with Monitor, Warning and Authenticate Actions and click Create New to
create new quotas. Select the categories (same as in Step 4) to be assigned quotas and set the quota
time value to 5 minutes.
Once you have altered the web filter profile, click OK then click Apply to save the profile settings.
18. From a web browser on the Windows Server, attempt to visit a blocked category web site again.
19. Click Proceed on the Web Page Blocked page. Authenticate on the Web Filter Block Override page
using the username student and the password F0rtinet and click Continue.
Once authenticated properly, the quota timer is initiated.
20. To view the quota timer value, enable the Security Profiles monitors through the CLI as follows:
config sys global
set gui-utm-monitor enable
end
then, go to Security Profiles > Monitor > FortiGuard Quota. If the FortiGuard Monitor is not displayed,
you may need to clear the web browsers cache or refresh the page.
When the daily quota value is reached, the FortiGuard replacement message will be displayed again.
21. From the GUI on the Student FortiGate device go Log & Report > Traffic Log > Forward Traffic and
locate the log messages related to the web filtering activity.
22. Edit the default web filter profile, expand Quota on Categories with Monitor, Warning and Authenticate
Actions and delete the quotas on the selected categories. Click OK then click Apply to save the profile
settings.
23. Still in the web filter profile and select flow-based. A notification is displayed as follows:

FortiGate Multi-Threat Security and Systems I

76

Module 9 Lab 1: Web Filtering

Click OK and then click Apply.


24. Test the behavior of the flow based inspection by connecting to a web site that is usually blocked.
Check the log entry for this blocked request.

FortiGate Multi-Threat Security and Systems I

77

Module 10 Lab 1: Application Identification

Module 10
Lab 1: Application Identification
The aim of this lab is for students to use the application control feature to properly identify a given
application.

Objectives

Configure application control in the student lab environment


Read and understand application control logs

Time to Complete
Estimated: 30 minutes

FortiGate Multi-Threat Security and Systems I

78

Module 10 Lab 1: Application Identification

Exercise 1 Creating an Application Control List


1. From the Windows Server, you will first need to connect to the Student FortiGate device and restore the
configuration file that is needed for this lab. This module uses the same config as in Module 7.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration
file: Resources\ Module10\Student\student-app.conf.
The Student FortiGate device will reboot.
2. From the GUI on the Student FortiGate device, go to Security Profiles > Application Control >
Application Sensor and review the default application control sensor.(Ensure you are selecting the
sensor named default.)
3. On the Edit Application Sensor page, check the settings for the following rules:
Youtube
Application:
Myspace
Application:
Check the Action setting for each filter. What are the expected actions of these sensors?
Traffic shaping is enabled for Youtube and these applications use a shared traffic shaper which is
capped at 1 Mbps. Connections to Myspace are blocked.
Before proceeding ensure both of these signatures are located at the top of the list. Click Apply to save
changes to the profile.
4. Go to Policy > Policy > Policy and edit the port3port1 policy. Ensure that Application Control is
turned ON and that the default Application Control sensor is selected. Click OK.
You will now test the application control configuration. From the virtual Windows Server, open a web
browser and connect to YouTube.com.
5. On the YouTube web site, attempt to play a few videos.
Check the traffic shaper monitor in Firewall Objects > Monitor > Traffic Shaper Monitor.
6. Next, enable the Security Profiles monitors through the CLI as follows:
config sys global
set gui-utm-monitor enable
end
then, check the Application monitor in Security Profiles > Monitor > Application Monitor. If the
Application Monitor is not displayed, you may need to clear the web browsers cache or refresh the
page.
7. From the virtual Windows Server host, open a web browser and connect to Myspace.com.
You should observe that you cannot connect to this site.

FortiGate Multi-Threat Security and Systems I

79

Module 10 Lab 1: Application Identification

8. Go to Security Profiles > Application Control > Application Sensor and edit the default sensor again.
Click Create New to add a new application filter and select Specify Applications.
9. In the search field shown above the Application Name column enter Facebook. From the results that
display, select Facebook from the Application Name column. A window displays with a description of
the application including popularity, and a reference link that you can click to obtain more rating
information from the FortiGuard Center.
Set Action to block and ensure that this new signature is place at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes.
Test that this site is now blocked. Go to Log & Report > Traffic Log > Forward Traffic and view the log
information to confirm that this action was correctly logged. The status of the connection should be
displayed as deny.
10. From the web browser, and attempt to access the following web site:
http://proxite.us
On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click Go.
You should observe this does allow some connectivity to the site. What action can be taken to stop
this?
You can create a new rule in the sensor to block the Proxy category.

FortiGate Multi-Threat Security and Systems I

80

Module 10 Lab 2: Traffic Shaping

Lab 2: Traffic Shaping


The aim of this lab is for students to work with the traffic shaping function of application control to limit a
specific application.

Objectives
Students will complete the following tasks:

Restrict YouTube video bandwidth

Time to Complete
Estimated: 10 minutes

FortiGate Multi-Threat Security and Systems I

81

Module 10 Lab 2: Traffic Shaping

Exercise 1 Limiting YouTube Traffic


1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the
configuration file that is needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration
file: Resources\Module10\Student\Student-app.conf
The Student FortiGate device will reboot.
2. Go to Policy > Policy > Policy and edit the outbound port3 > port1 firewall policy. Set Application
Control to ON and from the drop-down list select the monitor-p2p-and-media profile.
Click OK to save the policy settings.
3. From a web browser on the virtual Windows Server host, connect to a Youtube web site and stream a
random video. Go to Log & Report > Traffic Log > Forward Traffic and view the application control log
entries that are generated.
4. From the GUI on the Student FortiGate device go to Firewall Objects > Traffic Shaper > Shared and
create a new traffic shaper with the following details:
Name :

YouTube

Maximum Bandwidth:

100

Note: The units are in kilobits per second. Take this into consideration
when setting values, as typically bandwidth measurements are done in
kilo bytes, or even larger units.
5. Go to Security Profiles > Application Control > Application Sensor and select the monitor-p2p-andmedia application control profile from the drop-down list shown in the upper right-hand corner of the
window.
6. Next, edit the sensor: ID2 (Video/Audio). If the ID column is not visible, modify the column settings to
add it.
Scroll to the bottom of the window, and set Action to Traffic Shaping. Enable both Forward and
Reverse Direction Traffic Shaping and from the drop-down list, select the YouTube traffic shaper you
created in the previous.
Once you have applied the YouTube shaper to both the normal and reverse direction for this signature,
click OK then click Apply.
7. Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream
the same video. If you set the Shaper levels low enough the experience of playing the video will be
very different.
Note: Only shared shapers are allowed, so the maximum value here
would apply to everyone inside the network that was using the application
(YouTube videos in this case). Keep this in mind when using this option.

FortiGate Multi-Threat Security and Systems I

82

Module 10 Lab 3: Selective Application Control

Lab 3: Selective Application Control


The aim of this lab is to demonstrate how application control can be used to selectively block only specific
features inside some network applications.

Objectives
Students will complete the following tasks:

Block user attempts to edit any Wikipedia article, while allowing read-only access to that website.

Time to Complete
Estimated: 10 minutes

FortiGate Multi-Threat Security and Systems I

83

Module 10 Lab 3: Selective Application Control

Exercise 1 Block Wikipedia Editing


1. From Windows Server, open a browser window and access:
http://www.wikipedia.org
Open any Wikipedia article.
1. Click on the Edit tab on the top of the page. This should open the Wikipedia editor feature that allows
any user to modify articles.
2. From GUI on the Student FortiGate device, go to Security Profiles > Application Control > Application
Sensor and select the monitor-p2p-and-media application control profile from the drop-down list shown
in the upper right-hand corner of the window.
3. Click Create New to add a new application filter and select Specify Applications.
4. In the search field shown above the Application Name column enter Wikipedia. From the results
displayed, select Wikipedia_Edit from the Application Name column.
Set Action to block and ensure that this new signature is placed at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes
2. Clear the web browsers cache and access a different Wikipedia article. You should still have access to
the Wikipedia document. Try to edit any article again. You should notice that this time you are not able
to edit the article.

FortiGate Multi-Threat Security and Systems I

84

Appendix A: Additional Resources

Appendix A: Additional Resources

Fortinet Documentation : http://docs.fortinet.com


Manuals, references, cookbooks, and technical notes for Fortinet products.

Fortinet Knowledge Base: http://kb.fortinet.com


This site is useful for finding working examples and tips for Fortinet products.

Fortinet Web Site: http://www.fortinet.com


Data sheets.

FortiGuard Web Site: http://www.fortiguard.com


Information about the FortiGuard Subscription Services.

FortiCare Web Site: https://support.fortinet.com


Portal for Fortinet Customer and Technical Support, including opening tickets, registering devices
you have purchased, and downloading firmware updates.

Fortinet User Forums: http://support.fortinet.com/forum/


Forums where customers discuss how to use Fortinet devices.

FortiGate Multi-Threat Security and Systems I

85

Appendix B: Presentation Slides

Appendix B: Presentation Slides

FortiGate Multi-Threat Security and Systems I

86

Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat


Management

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-01-50005-E-20131120

Module Overview
Other products available from Fortinet
A FortiGates features
Administrative Access, Users and Profiles
FortiGuard
Operating Modes
Default Settings
Configuration Backup and Restoration
Proper upgrade and downgrade procedures
Console port
and other topics
2

FortiGate Multi-Threat Security Systems I

87

Introduction to Fortinet Unified Threat Management

Module Objectives
By the end of this module, participants will be able to:
Identify the major features of the FortiGate Unified Threat Management appliance
Modify administrative access restrictions
Create and manage administrative users
Create and manage administrator access profiles
Backup and restore configuration files
Create a DHCP server on a FortiGate units interface
Upgrade or downgrade a FortiGate units firmware

Traditional Network Security Solutions

VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall

Many single purpose systems needed to


cope with a variety of threats

FortiGate Multi-Threat Security Systems I

88

Introduction to Fortinet Unified Threat Management

FortiGate Integrated Network Security Platform


VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
and more

FortiGate Appliance

One device provides a comprehensive


security and networking solution

Unit Design

FortiGuard Subscription Services

Firewall

AV

Web
Filter

IPS

FortiOS
Hardware

Security
Automated
and network-level
update
service
services
Specialized
operating
system
Purpose-driven
hardware
6

FortiGate Multi-Threat Security Systems I

89

Introduction to Fortinet Unified Threat Management

FortiGate Unit Capabilities

1
1
1
1

Application
control
WAN
Intrusion
Data
Antivirus
optimization
leak
prevention
prevention
Secure
VPN
Email
filtering
High
availability
Firewall
Endpoint
Dynamic
compliance
routing
Wireless
Logging
Authentication
and
reporting
Traffic
shaping
Virtual
Web
filtering
domains

Fortinet Products
Network Security
FortiGate appliances
High-end, mid-range and
desktop models

Network Access
Wireless: FortiWiFi, FortiAP
Switching: FortiSwitch
End-point and mobility:
FortiClient
User Identity:
FortiAuthenticator, FortiToken

Infrastructure Security
Application and Content Delivery:
FortiADC
DDos Mitigation: FortiDDos
Advanced Threat Protection
Voice and Video: FortiVoice,
FortiCamera, FortiRecorder

Application Security
FortiMail, FortiWeb, FortiDB
FortiCache

Management
FortiManager, FortiAnalyzer,
FortiCloud

FortiGate Multi-Threat Security Systems I

90

Introduction to Fortinet Unified Threat Management

FortiGuard Subscription Services


Global Update service for AV/IPS (update.fortiguard.com)
uses SSL on port 443

Global Live service for FortiGuard WF/AS (service.fortiguard.net)


Uses a proprietary protocol on port 53 or 8888
Live service (connection & contract required)
Short grace period after contract expiry (about 7 days)

Handled through FortiGuard Distribution Network(FDN)


Calculates server distance based on time zones

Major server centers in North America as well as Asia and Europe


Nearest servers are preferred but will adjust based on server load
can be sent to a FortiManager instead

Modes of Operation
NAT
Device operates on Layer 3 or
the OSI Model
Interfaces have IP addresses
Packets are routed VIA IP

Device is presence in the routing of


the network

Transparent
Device operates on Layer 2 of
the OSI
Device interface do not have IPs
Routing decisions are not
possible
Device is not a presence in
network routing.

10

FortiGate Multi-Threat Security Systems I

91

Introduction to Fortinet Unified Threat Management

OSI Model

11

Device Factory Defaults


port1 or internal interface will have an IP of 192.168.1.99/24
PING, HTTP, HTTPS protocols are enabled for
Management Access
port1 or internal interface will have a DHCP server set up and
enabled (on devices that support DHCP Servers)
Default login will always be:
user: admin
password: (blank)
Usernames and passwords are BOTH case sensitive
Default admin user information should be modified!
12

FortiGate Multi-Threat Security Systems I

92

Introduction to Fortinet Unified Threat Management

Device Administration

Web GUI
HTTP, HTTPS

CLI
Console,SSH,Telnet, GUI Widget

13

Administrator Profiles

14

FortiGate Multi-Threat Security Systems I

93

Introduction to Fortinet Unified Threat Management

Administrator Profiles: Permissions

None Read

Read-Write

System Configuration
Network Configuration
Firewall Configuration
VPN Configuration
Wifi Configuration
etc.

Admin
Profile

15

Administrative Users

Full access

super_admin
profile

Custom access

Full access within


a single virtual
domain

custom
profile

prof_admin
profile

16

FortiGate Multi-Threat Security Systems I

94

Introduction to Fortinet Unified Threat Management

Administrative Users: Trusted Hosts

If logging in from the source IP is not possible, FortiGate will not respond to requests
for management traffic to its interfaces
17

Two Factor Authentication

Username and Password (one factor)


+
FortiToken (two factor)

18

FortiGate Multi-Threat Security Systems I

95

Introduction to Fortinet Unified Threat Management

Administrative Users: Two Factor Authentication

19

Configuration Files

Device configuration settings can be saved to an external file


Optional encryption
The file can be restored to rollback device to a previous configuration
restoring a configuration always reboots the device

Configuration files can be backed up automatically


Not available on all models, happens when admin users log out

20

FortiGate Multi-Threat Security Systems I

96

Introduction to Fortinet Unified Threat Management

Configuration Files: Format


Plain Text

Build Number

#config-version=FWF60D-5.00-FW-build252131031:opmode=0:vdom=0:user=admin#conf_file_ver=1048892595416027
5734#buildno=0252#global_vdom=1

Encrypted
#FGBK|3|FWF60D|5|00|252|

Model
Firmware Major Version

Header contains some details on the device


After header, encrypted file is not readable

Restoring Encrypted configuration requires the same device/model


running the same build as the config file (and encryption password)
Restoring a text base config file only requires the same model
Different build configuration files can be used (with the same limits as an upgrade)

Config file only contains non-default and important settings (size)


21

Per Virtual Domain Configuration Files


Configurations are backed up as a whole
If Virtual Domains(VDOMs) are enabled, backups of individual VDOMs is
possible

22

FortiGate Multi-Threat Security Systems I

97

Introduction to Fortinet Unified Threat Management

Interface IPs
Every used interface on the
unit must have an IP
assigned (in NAT mode)
using one of three methods:
Manual IP, DHCP assigned,
PPPoE (CLI)

23

Administrative Access: Methods


Each interface has separate
options for enabling
Management access
Separate settings for IPv4 and
IPv6
IPv6 options only show up if
feature is enabled in the GUI

24

FortiGate Multi-Threat Security Systems I

98

Introduction to Fortinet Unified Threat Management

Hiding features from the GUI


Not all features are visible in the GUI, by default
Some features are ONLY configurable from the CLI
Feature not in the GUI ARE NOT disabled

Primary features can be hidden/unhidden from Dashboard Widget


Full list of options found in Features submenu

25

Hiding features from the GUI: SecurityFeatures

NGFW
Next Generation Firewall
Line Speed Inspection

ATP
Advanced Threat Protection
Focuses on protecting PCs

WF
Web Filtering

Full UTM
All Inspection profile options are available in the GUI
26

FortiGate Multi-Threat Security Systems I

99

Introduction to Fortinet Unified Threat Management

Administrative Access: Ports


Service Ports for Administrative access can be customized
Only using secure access methods is recommended

27

Static Gateway
There must be at least one default gateway
If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically

28

FortiGate Multi-Threat Security Systems I

100

Introduction to Fortinet Unified Threat Management

DHCP Server: Setup


Enabled and configured separately for each interface

29

DHCP Server: IP Reservation


IP address reserved and always assigned to the same DHCP host
Select an IP address or choose an existing DHCP lease to add to the reserved list
Identify the IP address reservation as either DHCP over Ethernet or DHCP over
IPSec

MAC address of the DHCP host is used to look up the IP address in


the IP reservation table
Found in the Advanced settings of the DHCP server, on the interface

30

FortiGate Multi-Threat Security Systems I

101

Introduction to Fortinet Unified Threat Management

DHCP Logs

31

FortiGate as a DNS Server


Resolve DNS lookups from an internal network
Methods to set up DNS for each interface:
Forward to System DNS: DNS requests relayed to the DNS servers configured
for the FortiGate unit
Non-recursive: DNS requests resolved using a FortiGate DNS database and
unresolved DNS requests are dropped
Recursive: DNS requests will be resolved using a FortiGate DNS database and
any unresolved DNS requests will be relayed to DNS servers configured for the
unit

One DNS database can be shared by all the FortiGate interfaces


If VDOMs are enabled, a DNS database can be created in each VDOM

32

FortiGate Multi-Threat Security Systems I

102

Introduction to Fortinet Unified Threat Management

DNS Forwarding
FortiGate units can forward (or not) DNS requests sent to its
interfaces
Behavior on each interface is configured separately

Allows direct control of the DNS


GUI allows setting to Forward only
CLI allows Forward, Recursive and Non-recursive behavior

33

DNS Database: Configuration


DNS zones need to be added when configuring the DNS database
Each zone has its own domain name
Zone format defined by RFC 1034 and1035

DNS entries are added to each zone


An entry includes a hostname and the IP address it resolves to
Each entry also specifies the type of DNS entry

IPv4 address (A) or an IPv6 address (AAAA)


name server (NS)
canonical name (CNAME)
mail exchange (MX) name
IPv4 (PTR) or IPv6 (PTR)

34

FortiGate Multi-Threat Security Systems I

103

Introduction to Fortinet Unified Threat Management

Firmware Upgrade Steps

Step 1: Backup and store old configuration (Full config backup from CLI)
Step 2: Have copy of old firmware available
Step 3: Have disaster recovery option on standby (especially if remote)
Step 4: READ THE RELEASE NOTES (upgrade path, bug information)
Step 5: Double check everything
Step 6: Upgrade
35

Firmware Downgrade Steps

Step 1: Locate pre-upgrade configuration file


Step 2: Have copy of old firmware available
Step 3: Have disaster recovery option on standby (especially if remote)
Step 4: READ THE RELEASE NOTES (is a downgrade possible?)
Step 5: Double check everything
Step 6: Downgrade (all settings except those needed for access are lost)
Step 7: Restore pre-upgrade configuration

36

FortiGate Multi-Threat Security Systems I

104

Introduction to Fortinet Unified Threat Management

Maintainer Access
Available on all FortiGate devices and some non-FortiGate devices
Only available through the hardware console port
Highly secure (requires physical access)

Only open after a HARD boot


About 30 seconds (varies by model, by approximately 1 minute)
Highly secure (soft boot does not activate user)
User: maintainer
Password: bcpb<serial number>

All letters in serial number MUST BE uppercase

Can be disabled in the CLI if physical security is a risk or for


compliance reasons
config sys global
set admin-maintainer disable
end
37

Console Port
Depending on the FortiGate model, console port
access is provided in the following ways:
Serial port (older models)
Standard null model cable will work for console port access

RJ-45 port
RJ-45-serial cable is required for access

USB 2 port
Requires FortiExplorer to connect

Each devices ships with proper console cables

38

FortiGate Multi-Threat Security Systems I

105

Introduction to Fortinet Unified Threat Management

FortiExplorer
Software used to Manage devices via USB-2
Some models of FortiGate/FortiWifis, FortiSwitch, FortiAP

Available for Windows PC, Mac OSx10


Release notes contain detailed information on supported OS versions
Connect using USB cable
Allows Full GUI/CLI access, complete configuration options
If device has USB-2 port, FortiExplorer is the only way to access Console port

Available on Apple Store for IPod/IPad/IPhone


Connect using standard 30pin-USB cable
Limited configuration options, Limited model options

39

Labs
Lab 1: Initial Setup and Configuration
Ex 1: Configuring Network Interfaces
Ex 2: Exploring the Command Line Interface
Ex 3: Restoring Configuration Files
Ex 4: Performing Configuration Backups

(OPTIONAL)
Lab 2: Administrative Access
Ex 1: Profiles and Administrators
Ex 2: Restricting Administrator Access

40

FortiGate Multi-Threat Security Systems I

106

Introduction to Fortinet Unified Threat Management

Classroom Lab Topology

41

FortiGate Multi-Threat Security Systems I

107

Logging and Monitoring

Logging and Monitoring

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT01-02-50005-E-20131120

Module Overview
Log Severity Levels
Storage Locations
Log types and subtypes
Log Structure and Behavior
Traffic Log
Viewing Log Messages
Reading and Interpreting log messages
Alert Email

and other topics


2

FortiGate Multi-Threat Security Systems I

108

Logging and Monitoring

Module Objectives
By the end of this module participants will be able to:
State the Purpose of different log types on a FortiGate
Identify the storage location of log information
Navigate the relevant screens for Logging and Monitoring of a FortiGate
Read and Interpret log messages
View and search logs messages

Logging and Monitoring

Logging and monitoring are key


elements in maintaining devices
on the network
Monitor network and Internet traffic
Track down and pinpoint problems
Establish baselines
4

FortiGate Multi-Threat Security Systems I

109

Logging and Monitoring

Log Severity Levels


Administrators define what type of logs are recorded
All log messages have a severity level to help indicate how important
the event is
Emergency = System unstable
Alert = Immediate action required
Critical = Functionality affected
Error = Error exists that can affect functionality
Warning = Functionality could be affected
Notification = Information about normal events
Information = General system information
Debug = Debug log messages

Log Storage Locations

FortiCloud
Syslog
Hard drive

SNMP
FortiAnalyzer
FortiManager

Memory

Local logging
Remote logging
6

FortiGate Multi-Threat Security Systems I

110

Logging and Monitoring

Log Storage Locations: FortiAnalyzer/FortiManager

FortiGate

FortiAnalyzer/FortiManager
Register

FAZ/FMG has list of Registered(allowed) devices


SSL-secured OFTP used to encrypt communications
7

FortiAnalyzer/FortiManager: Comparison
FortiManager is a dedicated device designed to Centrally Manage
multiple FortiGate devices
FortiAnalyzer is dedicated device designed for long term storage of log
data
FMG has identical logging and reporting functionality to FAZ, except for 2Gig daily
limit on logs received

FortiGate Multi-Threat Security Systems I

111

Logging and Monitoring

FortiAnalyzer/FortiManager: Configuration

Up to 3 separate FAZ/FMG devices can be configured (CLI)


May be needed for Redundancy
Generating & sending logs requires resources
config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting
set status enable
eet server x.x.x.x
end
9

Log Storage Locations: FortiCloud


Subscription service
Long term log storage & reporting
FortiGates include 1 month free trial
Links to FortiCare user
Read any documentation on the Website!!

10

FortiGate Multi-Threat Security Systems I

112

Logging and Monitoring

Log Types and Subtypes


Traffic Log
Forward (Traffic passed/blocked by Firewall policies)
Local (Traffic aimed directly at, or created by the FortiGate device)
Invalid (Log messages about packets considered invalid/malformed and dropped)
Multicast (Log messages about Multicast traffic)

Event Log
System (System related events)
User (Firewall authentication events)
Router, VPN, WanOpt & Cache, Wifi

Security Log
By Security profile type (Antivirus, Web Filter, Intrusion Protection, etc.)
Section is not created by default

11

Log Structure and Behavior


Logging is divided into 3 sections: Traffic Log, Event Log, Security Log
Traffic logs relate to packets to and through the device
Event logs relate to any admin and system activity events on the device
Security logs contain log messages related to profiles acting on traffic passing
through the device

Most Security events consolidated into Forward Traffic log


Less CPU intensive this way
Exceptions: DLP, Intrusion Scanning (Security Log only)

Additional log information can be obtained in some security profiles via


the CLI (Antivirus, Web Filter, Email)
extended-utm-log [disable (default) | enabled]
New log options show up (CLI only, varies depending on profile type)
Security event logs show up in Security Logs with more details
12

FortiGate Multi-Threat Security Systems I

113

Logging and Monitoring

Log Generation
FW Policy
Log Setting

AV,Web Filter, Email

No Log

Disabled

N/A

No Forward Traffic or Security Logs

No Log

Enabled

Disabled

No Forward Traffic or Security Logs

extended-utm-log

Behavior

No Log

Enabled

Enabled

No Forward Traffic or Security Logs

Log Security Events

Disabled

N/A

No Forward Traffic or Security Logs.

Log Security Events

Enabled

Disabled

Security log events appear in Forward Traffic Log.


Forward Traffic Log generated for packets causing a
security event.

Log Security Events

Enabled

Enabled

Security log events appear in Security Log.


Forward Traffic Log generated for packets causing a
security event.

Log all Sessions

Disabled

N/A

Forward Traffic Log generated for every single packet.

Log all Sessions

Enabled

Disabled

Security log events appear in Forward Traffic Log


Forward Traffic log generated for every single packet

Log all Sessions

Enabled

Enabled

Security log events appear in Security Logs.


Forward Traffic Log generated for every single packet.

13

Viewing Log Messages(GUI)

14

FortiGate Multi-Threat Security Systems I

114

Logging and Monitoring

Viewing Log Messages(GUI): Adding Filters


Use Filter Settings to customize the display of log messages to
show specific information in log messages
Reduce the number of log entries that are displayed
Filters are per column, more can be added

15

Viewing Log Messages (Raw)


Fields in each log message are arranged into two groups:
Log header (common to all log messages)
date=2013-09-10 time=11:17:56 logid=0000000009
type=traffic subtype=forward level=notice vd=root

Log body (varies between each kind of log)


srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100

16

FortiGate Multi-Threat Security Systems I

115

Logging and Monitoring

Viewing Log Messages (Raw): Severity Level


Log severity level indicated in the level field of the log message
date=2013-09-10 time=13:00:30 logid=0100032001
type=event subtype=system level=information
vd="root" user="admin" ui=http(10.0.1.10)
action=login status=success reason=none
profile="super_admin" msg="Administrator admin
logged in successfully from http(10.0.1.10)"

information = normal event

17

Viewing Log Messages (Raw): Type and Subtype


Log header
date=2013-09-10 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=root
filteridx=0

Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 .

type and subtype fields = log file that message is recorded in

18

FortiGate Multi-Threat Security Systems I

116

Logging and Monitoring

Viewing Log Messages (Raw): Policy ID


Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"

policyid = id number of firewall policy matching the session

19

Viewing Log Messages (Raw): Status


Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01

status = action taken by the FortiGate unit


20

FortiGate Multi-Threat Security Systems I

117

Logging and Monitoring

Viewing Log Messages(CLI)


exe log display

Best to setup filters on log entries first


exe log filter

21

Alert Email

Send notification to email address upon


detection of defined event
Identify SMTP server name
Configure at least one DNS server
Up to three recipients per mail server
22

FortiGate Multi-Threat Security Systems I

118

Logging and Monitoring

Alert Email: Configure


Configuring Alert email is not possible until an SMTP server has been
setup.

Can be sent to up to 3 emails

23

Alert Message Console


Alert messages can be displayed on the GUI
Individual alerts can be acknowledged and removed from the list
Customizable alert options

24

FortiGate Multi-Threat Security Systems I

119

Logging and Monitoring

SNMP Monitoring
SNMP agent

Managed device

Fortinet MIB

SNMP manager

Traps received by agent sent to SNMP manager


Configure FortiGate unit interface for SNMP access
Compile and load Fortinet-supplied MIBs into SNMP
manager
Create SNMP communities to allow connection from
FortiGate unit to SNMP manager

SNMP v1/v2
Plain Text

SNMP v3
Encrypted

25

SNMP Monitoring: Configuring

v3 offers additional security over v1/v2


26

FortiGate Multi-Threat Security Systems I

120

Logging and Monitoring

Configuring Log settings: GUI

27

Configuring Log settings: CLI

Different log locations have different options that need to be


configured (server location, user details, etc)
disk Hard drive (Built in non-volatile Flash on some models)
fortianalyzer|fortianalyzer2|fortianalyzer3 separate FortiAnalyzers
fortiguard- Forticloud
memory system memory (volatile)
sysologd|syslogd2|syslogd3 separate Syslog servers
webtrends Webtrends service
28

FortiGate Multi-Threat Security Systems I

121

Logging and Monitoring

Configuring Log settings: Firewall Policy


Firewall Policy
setting decides if a
log message is
generated or not
Log Settings
options decide
if/where any log
messages get
stored

29

Event Logging: Settings

Event logs are not directly caused by traffic passing through


any firewall policies (except User)
30

FortiGate Multi-Threat Security Systems I

122

Logging and Monitoring

Logging Monitor

Overall view of the number/type of logs generated


Drilldown allows for more detailed information
31

Monitor
Monitor sub-menus found in CLI for all main function menus
User-friendly display of monitored information
View activity of a specific feature being monitored
Various settings are found under config system global
gui-antivirus

gui-ap-profile

gui-application-control

gui-central-nat-table

gui-certificates

gui-client-reputation
gui-dynamic-profile-display

gui-dlp

gui-dns-database

gui-dynamic-routing

gui-endpoint-control

gui-explicit-proxy

gui-ipsec-manual-key

gui-implicit-policy

gui-ips

gui-icap

gui-ipv6

gui-lines-per-page

gui-load-balance

gui-local-in-policy

gui-multicast-policy

gui-multiple-utm-profiles

gui-object-tags

gui-policy-interface-pairs-view

gui-replacement-message-groups

gui-spamfilter

gui-sslvpn-personal-bookmarks

gui-sslvpn-realms

gui-utm-monitors

gui-voip-profile

gui-vpn

gui-vulnerability-scan

gui-wanopt-cache

gui-webfilter

gui-wireless-controller

gui-wireless-opensecurity

32

FortiGate Multi-Threat Security Systems I

123

Logging and Monitoring

GUI Monitors
Example: Security Profiles Monitor
Includes all security features
AV Monitor
Recent and top virus activity

Web Monitor
Top blocked FortiGuard categories

Application Monitor
Most used applications

Intrusion Monitor
Recent attacks

FortiGuard Quota
Per user list of quota usage
33

Status Page: Custom Widgets


Many widgets can have their settings altered to display different
information
The same widget can be added multiple times to the same dashboard showing
different information

34

FortiGate Multi-Threat Security Systems I

124

Logging and Monitoring

Status Page: Custom Dashboards

Multiple dashboards included by default


Included widgets are setup to provide different kinds of information
Can be changed/deleted/added
Per User settings (Diashboard and widget layout is not shared between users)
35

The Crash log


Inspection of is traffic handled by processes
Any time a process closes, it is a crash
Some crashes are normal (closing scanunit to do a definition update)
diag deb crashlog read

Does not any log message data

36

FortiGate Multi-Threat Security Systems I

125

Logging and Monitoring

Labs
Lab 1: Status Monitor and Event Log
Ex 1: Exploring the GUI Status Monitor
Ex 2: Event Log and Logging Options

(OPTIONAL)
Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring

37

Classroom Lab Topology

38

FortiGate Multi-Threat Security Systems I

126

Firewall Policies

Firewall Policies

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-03-50005-E-20131120

Module Overview
How Packets are Handled
Policy Types and Subtypes
Network Address and Port Translation
Session Helpers
Proxy vs Flow based inspection
Firewall object usage
Monitoring Firewall policies
Debugging Firewall policies

and other topics


2

FortiGate Multi-Threat Security Systems I

127

Firewall Policies

Module Objectives
By the end of this module participants will be able to:
Identify the components used in a firewall policy
Create firewall policy objects
Create Address type firewall policies
Manage policy order
Test firewall policies
Monitor network traffic through firewall policies

Definition and Overview of Firewall Policies


Polices are a list of rules that define:
a)

under what conditions traffic is considered a match

b)

How to handle that traffic

Processed top down, only first match applies


Implicit deny, no rule to allow the traffic means it gets dropped
Not visible in GUI, by default

FortiGate Multi-Threat Security Systems I

128

Firewall Policies

How Packets are Handled: Step 1


Step #1 - Ingress
1. Denial of Service Sensor
2. IP integrity header checking
3. IPSec connection check
4. Destination NAT
5. Routing

How Packets are Handled: Step 2


Step #1 - Ingress
1. Denial of Service Sensor
2. IP integrity header checking
3. IPSec connection check
4. Destination NAT
5. Routing

Step #2 - Stateful Inspection


Engine
1. Session Helpers
2. Management Traffic
3. SSL VPN
4. User Authentication
5. Traffic Shaping
6. Session Tracking
7. Policy lookup

FortiGate Multi-Threat Security Systems I

129

Firewall Policies

How Packets are Handled: Step 3


Step #1 - Ingress
1. Denial of Service Sensor
2. IP integrity header checking
3. IPSec connection check
4. Destination NAT
5. Routing

Step #2 - Stateful Inspection


Engine
1. Session Helpers
2. Management Traffic
3. SSL VPN
4. User Authentication
5. Traffic Shaping
6. Session Tracking
7. Policy lookup

Step #3 - UTM scanning


process
i) Flow-based Inspection
1. IPS
2. Application Control
3. Email Filter
4. Web Filter
5. Anti-virus
ii) Proxy-based Inspection
6. VoIP Inspection
7. Data Leak Prevention
8. Email Filter
9. Web Filter
10. Anti-virus
11. ICAP

How Packets are Handled: Step 4


Step #1 - Ingress
1. Denial of Service Sensor
2. IP integrity header checking
3. IPSec connection check
4. Destination NAT
5. Routing

Step #2 - Stateful Inspection


Engine
1. Session Helpers
2. Management Traffic
3. SSL VPN
4. User Authentication
5. Traffic Shaping
6. Session Tracking
7. Policy lookup

Step #3 - UTM scanning


process
i) Flow-based Inspection
1. IPS
2. Application Control
3. Email Filter
4. Web Filter
5. Anti-virus
ii) Proxy-based Inspection
6. VoIP Inspection
7. Data Leak Prevention
8. Email Filter
9. Web Filter
10. Anti-virus
11. ICAP

Step #4 - Egress
1. IPSec
2. Source NAT
3. Routing

FortiGate Multi-Threat Security Systems I

130

Firewall Policies

Firewall Policies
Incoming and outgoing interfaces
Source and destination IP addresses
Services
Schedules

Action = ACCEPT

Authentication

Threat
Management

Traffic
Shaping

Logging

Firewall policies include the


instructions used by the FortiGate
device to determine what to do with a
connection request
Packet analyzed, content compared to
policy, action performed

Policy Types and Subtypes

Address
Policy match based on IPs

User Identity
Policy match based on authentication information (user)

Device Identity
Policy match based on OS/Type

10

FortiGate Multi-Threat Security Systems I

131

Firewall Policies

Policy Types and Subtypes: Address subtype

Match is based on IP
and port information
in the packets

11

Policy Types and Subtypes: User Identity subtype

12

FortiGate Multi-Threat Security Systems I

132

Firewall Policies

Policy Types and Subtypes: Device Identity subtype

OS identity device based on packet behavior and details


MAC address (Forti-Device only), DHCP VCI, TCP SYN
Fingerprint, HTTP UserAgent
Identification rules updated with FortiGuard definitions
13

Firewall Policy Elements: Interfaces and Zones

Incoming
Interface

Outgoing
Interface

ZONE: A logical
group of interfaces

Select Incoming Interface to identify the interface or zone


on which packets are received
Select one(or more) interfaces or ANY to match all interfaces as the source

Select Outgoing Interface to identify the interface or zone


to which packets are forwarded
Select one(or more) interfaces or ANY to match all interfaces as the source

14

FortiGate Multi-Threat Security Systems I

133

Firewall Policies

Firewall Policy Elements: Address objects


The FortiGate device compares the source and
destination address in the packet to the policies on the
device
Default of ALL addresses available, applies to all IPs

Addresses in policies configured with:


Name for display in policy list
IP address and mask
FQDN if desired (DNS used to resolve)

Use Country to create addresses based on geographical


location
Geographic database updated periodically with FortiGuard

Create address groups to simplify administration

15

Firewall Policy Elements: Service objects

Packet
Protocol and Port

Firewall Policy

Protocol and Port

FortiGate uses Services to determine the port number of accepted or denied traffic
Default of ALL services available, applies to all ports and protocols
Select a Service from predefined list on FortiGate unit or create a custom service
Web Proxy Service also available if Incoming Interface is set to web-proxy
Group Services and Web Proxy Service Group to simplify administration

16

FortiGate Multi-Threat Security Systems I

134

Firewall Policies

Firewall Policy Elements: Schedules


Used to make firewall policies that only apply at particular
times, or days
Example: Having a normal policy and a less restrictive Lunch time policy
Default schedule is 24/7, applies all the time

Recurring
Configured with a time that happens during a day(s) of the week

One-time
happens only once

17

Groups
Groups are logical collections of objects for ease of
configuration
If there will be multiple firewall policies using the same services, addresses or
schedules creating a group can facilitate configuration

Example: Making a Service Group for World of Warcraft


TCP port 3724 (for Game Play)
TCP port 6112, 6881-6999 (for Updates)
UDP port 3724 (in game Voice chat)

18

FortiGate Multi-Threat Security Systems I

135

Firewall Policies

Policy Logging Options

Accept

Deny

19

Network Address and Port Translation


Network Address Translation NAT
Altering an IP address of a packet
Source Network Address Translation SNAT
Altering the Source IP address of a packet

Destination Network Address Translation DNAT


Altering the Destination IP address of a packet

Port Address Translation PAT


Altering the source Port of a packet

Destination IP address
Destination port

Source IP address
Source port
20

FortiGate Multi-Threat Security Systems I

136

Firewall Policies

Network Address and Port Translation: NAT

11.12.13.14

Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200
wan1
200.200.200.200

Source IP address:
200.200.200.200
Source port: 30912

internal

10.10.10.10

Destination IP address:
11.12.13.14
Destination Port: 80

Source IP address:
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
21

Network Address and Port Translation: IP Pool

Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10

11.12.13.14

wan1
200.200.200.200

internal

10.10.10.10
Source IP address:
10.10.10.1
Source port: 1025

Source IP address:
200.200.200.?
Source port: 30957
Destination IP address:
11.12.13.14
Destination Port: 80

Destination IP address:
11.12.13.14
Destination Port: 80
22

FortiGate Multi-Threat Security Systems I

137

Firewall Policies

Network Address and Port Translation: Fixed Port

11.12.13.14

Firewall policy
with NAT + IP pool enabled + fixed port
wan1 IP pool: 200.200.200.201
wan1
200.200.200.200

10.10.10.10

Source IP address:
200.200.200.201
Source port: 1025

internal

Destination IP address:
11.12.13.14
Destination Port: 80

Source IP address:
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
23

Network Address and Port Translation: Virtual IP

Firewall policy
with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200

11.12.13.14

wan1

internal

Source IP address:
11.12.13.14

10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80

VIP translates destination


200.200.200.222 -> 10.10.10.10
24

FortiGate Multi-Threat Security Systems I

138

Firewall Policies

Network Address and Port Translation: Virtual IP

Firewall policy
with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200

11.12.13.14

wan1

internal

10.10.10.10

Source IP address:
11.12.13.14

Used to allow connections through a


Destination
IP address:policies
FortiGate using NAT
firewall
200.200.200.200

FortiGate unit can respond


to ARP
requests
on a
Destination
Port:
80
network for a server that is installed on another network
Used for (1) Server Redundancy and Load Balancing;
(2) IPSec VPN site-to-site with identical subnets at both
sites; etc.
VIP translates destination
200.200.200.200 -> 10.10.10.10
VIP Group: A group of Virtual IPs for ease-of-use
25

Network Address and Port Translation: Central NAT


Disabled in the GUI (default)
config system global
set gui-central-nat-table enable
end

Centrally configurable NAT rules

26

FortiGate Multi-Threat Security Systems I

139

Firewall Policies

Session Helpers
What does a Session helper do?
When specific types of traffic pass through the FortiGate
additional actions may need to happen
Additional information may be needed from the packets in
order for traffic to flow properly

27

Session Helpers: SIP Example


Example of the SIP protocol with a Stateful Firewall doing NAT of
172.16.1.2 to 201.11.13:
Firewall opens a Pinhole
to allow the traffic that will
come to port 12546
Send the media traffic
to IP address 172.16.1.2,
UDP port 12546

172.16.1.1

The IP address inside the


IP payload is NATed

Send the media traffic


to IP address 201.11.1.3,
UDP port 12546

201.11.1.3

172.16.1.2
Media traffic to
172.16.1.2, port 12546

Media traffic to
201.11.1.3, port 12546

Incoming media traffic is allowed


even when no firewall policy has
been explicitly configured
28

FortiGate Multi-Threat Security Systems I

140

Firewall Policies

Traffic Shaping
Traffic shaping controls which
policies have higher priority when
large amounts of data is passing
through the FortiGate unit
Normalize traffic bursts by
prioritizing certain flows over
others
HTTP
FTP
IM

29

Traffic Shapers
Shared Traffic Shaper

Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

30

FortiGate Multi-Threat Security Systems I

141

Firewall Policies

Traffic Shapers
Shared Traffic Shaper

Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

Traffic shapers apply Guaranteed Bandwidth


and Maximum Bandwidth
values to addresses
Guaranteed Bandwidth
affected by policyMaximum Bandwidth
Share values between all IP address affected by the
policy
Bandwidth
Values applied toGuaranteed
each IP
address affected by the
Maximum Bandwidth
policy

31

Threat Management
Security profiles are enabled within each Firewall policy

32

FortiGate Multi-Threat Security Systems I

142

Firewall Policies

Threat Management: Client Reputation


Disabled in the GUI (default)
config sys global
set gui-client-reputation enable
end

Tracks the Score for all devices within that VDOM by assigning
a value to various UTM events
Hard drive required to monitor Score (FortiAnalyzer, FortiManager or FortiCloud)

33

Threat Management: Client Reputation considerations


7-day history window shown (default)
Score calculated periodically
Not real time (too much I/O required)

Max ~5000 tracked hosts (depends on db size & number of logs)


When max hosts reached, least active 10% of records get deleted

Change history window and DB size in CLI


config client-reputation profile
set max-rep-db-size
{MB, default 100}
set window-size 7
{days, default 7}
end

The effect of altering window-size


Larger: Results in more data to process, increases CPU and Memory required, score may be more
accurate (depending on log creation rate), limited by database size.
Smaller: Less data to process, less resources, less accurate

The effect of altering max-rep-db-size


Larger: More storage space required, can increase maximum possible tracked hosts, can result in more
data to process (if data based filed before window-size)
Smaller: less storage space required, can decrease maximum possible tracked hosts
34

FortiGate Multi-Threat Security Systems I

143

Firewall Policies

Threat Management: Monitoring Client Reputation


Done via the Threat History widget (or FortiAnalyzer, FortiCloud, Reports)
Requires SSD on a non SOHO model (SOHO=2 digit model number, Med=3, Ent=4) or VM
Widget Monitors Top N hosts (configurable in options, max 100)
3 configurable time periods, separate refresh options
Drill down

35

Threat Management: Client Reputation CLI commands


Only on devices with the Threat History widget
exe client-reputation erase
Wipe out all data in the client reputation database.

exe client-reputation host-count <number> [0 for all]


List all (or some) of the tracked hosts

exe client-reputation host-detail <host_IP>


Obtain detailed information about a particular host

exe client-reputation host-summary <host_IP>


Obtain summary information about a particular host

exe client-reputation purge


Database cleanup. Purge old data from the client reputation database.

exe client-reputation topN <number> [all for all tracked hosts]


Display N hosts with the highest (worst) client reputation score

36

FortiGate Multi-Threat Security Systems I

144

Firewall Policies

Proxy vs Flow: Proxy Based Scanning

Transparent proxy buffers


the file as it arrives
Once transmission is
complete, FortiGate
examines the file
No action until buffer is
full or file is finished
Communication is broken
on layer 3 (proxy handles
communication)

37

Proxy vs Flow: Flow Based Scanning


File is scanned on a packetby-packet basis as it passes
through the FortiGate unit
Faster scanning, but lower
accuracy rate
Stateless, file chunks are
not compared/related to
prior chunks of the same
file
Faster scanning, but lower
accuracy rate
Seamless layer 3

38

FortiGate Multi-Threat Security Systems I

145

Firewall Policies

Proxy vs Flow: Proxys and File size


Firewall Policy

File size is checked against


preset thresholds (configured
in the CLI : config
firewall profileprotocol-options)

Enable Security Profile


UTM Proxy Options
Oversize File/Email
Pass or Block
+
Threshold

If larger than threshold (default


10 MB) and action set to
block, then file is rejected
If larger than threshold and
action set to allow,
uncompressed file must fit
within memory buffer
If not, by default no further
scanning operations
performed

39

Proxy vs Flow: Comparison

Proxy based Inspection

Flow based Inspection

Faster (then proxy based)


Less Secure

Slower (then flow based)


More Secure
Layer 3 communication interrupted
Large Files/Slow connections can
cause delays

Less Accurate

Layer 3 unaffected

Not all Security Profiles can operate in either mode


App Control & IPS are only flow based
VOIP is only proxy based

40

FortiGate Multi-Threat Security Systems I

146

Firewall Policies

Endpoint Control

?
Up to date ?
Disallowed software
installed ?
41

Device Identification (Bring your own Device)


Device detection is dependent on being enabled in the
interface
In the GUI, you will be prompted when you create a device identification policy
Enable directly through the CLI

config system interface


edit "port1"
set device-identification (enable|disable*)
set device-user-identification (enable*|disable)
end

Per-VDOM settings on what to detect


config system network-visibility

Global setting of the device types FortiOS detects is


hardcoded
42

FortiGate Multi-Threat Security Systems I

147

Firewall Policies

Device Identification: Agent based vs Agentless


with Agent
FC
FC

DMZ

INTERNET

Agentless

Identification Techniques
Agentless

Agent Based

TCP Fingerprinting

Uses FortiClient

MAC address vendor codes

Location & Infrastructure Independent

HTTP user agent


Requires direct connectivity to FortiGate
43

Device Identification: Manual Device entry


Devices can be manually identified in the config
config user device
edit me
set mac-address
set type type name
set user user name

end

Once the device is created it can be added to a device


group
config user device-group

44

FortiGate Multi-Threat Security Systems I

148

Firewall Policies

Device Identification: Device list


User & Devices > Device > Device Definitions
diag user device list

45

Device Identification: Policy options


Attempt to detect all Unknown devices
Any device the FortiGate can not identify will be denied
FortiGate will use reattempt identification before denying

Redirect FortiClient compatible devices


Force users with compatible OSs to install FortiClient

Email collection Portal (attach an email to the device)


Webpage to manually enter an email address
Currently, Authentication and Device identification are not compatible

46

FortiGate Multi-Threat Security Systems I

149

Firewall Policies

Device Identification: Email collection


Email Collection
Used in conjunction with device type Collected Emails
Collects an email to be associated with the device
Email are not verified, domain is checked for DNS resolution

47

Device Identification: Email collection portal


config sys setting
set email-portal-check-dns [enable|disable]

48

FortiGate Multi-Threat Security Systems I

150

Firewall Policies

Object Usage
Allows for faster changes to settings
The Reference column allows administrators to
determine where the object is being used
Navigate directly to the appropriate edit page

49

Adjusting Policy Order


Drag and drop policy order from GUI (must click on Seq. #)

CLI works with policy ID number, not sequence number


config firewall policy
move <policy_id> {before|after} <policy_id>
end

50

FortiGate Multi-Threat Security Systems I

151

Firewall Policies

Monitor
View policy usage by active sessions, bytes or packets
Policy > Monitor > Policy Monitor

51

Debugging Firewall Policies: Understanding the traffic


Understand if/how the packets will be manipulated
Which interface is supposed to be the Ingress?
Which interface is supposed to be the egress?
Is there SNAT that will/should happen?
Is there DNAT that will/should happen?

What, exactly is the behavior


Is there slowness/delay?
Is there a timeout?
Is there an error? If so, what is it?

52

FortiGate Multi-Threat Security Systems I

152

Firewall Policies

Debugging Firewall Policies: The packet sniff (CLI)


A Packet sniff can be used to find it out where a
packet comes in and if/where a packet goes out, but
not why.
To view in Wireshark the output must be converted
Output needs to be saved to file
Perl script on KB (article ID: 11186)
diag sniff packet interface filter level

Interface
Use the logical name
port1, lan, wan1
any can be specified by
super_admin users only

Level (1-6)
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

53

Debugging Firewall Policies: The packet sniff (GUI)


Available on devices with internal storage (HD or SMC card)
Downloaded packet sniffs are automatically converted into
Wireshark format

54

FortiGate Multi-Threat Security Systems I

153

Firewall Policies

Debugging Firewall Policies: Filters for sniffs


Filters are a de-facto standard in order to restrict the packet sniff
Sniffing for all packets will likely result in too much
Search internet on tcpdump for documentation

Some possible Filter options:


host IP address (applies to source and destination)
dst host destination address
src host source address

net Network, IP range (applies to source and destination)


dst net, src net

port traffic port (applies to source and destination)


src port, dst port

Protocol can be specified


tcp, udp, arp, icmp, etc.

Primitives can be used to combine filter options


and

or

not

55

Debugging Firewall Policies: Example sniffs


Packet sniff of a ping
specify a host that will not change on ingress or egress
diag sniff packet any host x.x.x.x and icmp (level)

Packet sniff of FTP traffic


specify a host that will not change on ingress or egress
Specify FTP ports (connection and data)
diag sniff packet any host x.x.x.x and (port 21 or port ??) (level)

Packet sniff of traffic from a host connected to FortiGate


specify a host that will not change on ingress or egress
Make sure to exempt the port being used to connect to the FortiGate
diag sniff packet any host x.x.x.x and not port ?? (level)

What level to use (from CLI)?


4 most human readable
3, 6 must use if converting to Wireshark
56

FortiGate Multi-Threat Security Systems I

154

Firewall Policies

Debugging Firewall Policies: diag debug flow


diag debug flow is used to look at all the decisions the firewall is
making
Advanced, Multi-step process to setup command
diag deb flow show function enable
Optional, increases diagnostic output detail

diag deb flow filter ?


Setup a filter on the traffic
each new filter requires separate command (addr, port, etc)

diag deb flow trace start x


How many packets to continue diagnostic for

diag deb enable


Diagnostic mode must be enabled before any output can be seen
57

Debugging Firewall Policies: diag debug flow example


diag debug flow is used to look at all the decisions the firewall is
making
diag deb flow show function enable
diag deb flow filter addr 4.2.2.2
diag deb flow filter proto 1
diag deb flow trace start 10
diag deb enable
After debugging is over
diag deb reset

Shuts off all diagnostics running in the diag deb command tree
diag deb disable
Disables debug output

58

FortiGate Multi-Threat Security Systems I

155

Firewall Policies

Debugging Firewall Policies: Sniff output


Level 4
# diag sniff packet any 'host 4.2.2.2' 4
interfaces=[any]
filters=[host 4.2.2.2]
8.013631 lan in 192.168.100.110 -> 4.2.2.2: icmp: echo request
8.014093 dmz out 192.168.3.99 -> 4.2.2.2: icmp: echo request
8.036665 dmz in 4.2.2.2 -> 192.168.3.99: icmp: echo reply
8.036790 lan out 4.2.2.2 -> 192.168.100.110: icmp: echo reply

Level 6
# diag sniff packet lan 'host 4.2.2.2' 6
interfaces=[lan]
filters=[host 4.2.2.2]
3.258531 lan -- 192.168.100.110 -> 4.2.2.2: icmp: echo request
0x0000

0009 0f4d ebdb 1803 737b cc34 0800 4500

...M....s{.4..E.

0x0010

003c 4711 0000 8001 c895 c0a8 646e 0402

.<G.........dn..

0x0020

0202 0800 4cef 0001 006c 6162 6364 6566

....L....labcdef

0x0030

6768 696a 6b6c 6d6e 6f70 7172 7374 7576

ghijklmnopqrstuv

0x0040

7761 6263 6465 6667 6869

wabcdefghi

59

Debugging Firewall Policies: diag debug flow output


LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107
func=resolve_ip_tuple_fast line=4299
msg="vd-root received a packet(proto=1, 192.168.100.110:1->4.2.2.2:8) from lan."
LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107
func=init_ip_session_common line=4430 msg="allocate a new session-0000573e"

Single
decision
- 2 steps

Single
decision
- 2 steps

LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107


func=vf_ip4_route_input line=1603 msg="find a route: gw-192.168.3.1 via dmz"
LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107
func=__iprope_tree_check line=534 msg="use addr/intf hash, len=3"
LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107
func=get_new_addr line=2401 msg="find SNAT: IP-192.168.3.99, port-62464"
LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107
func=fw_forward_handler line=663 msg="Allowed by Policy-1: SNAT"
LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=ids_receive
line=237 msg="send to ips"

60

FortiGate Multi-Threat Security Systems I

156

Firewall Policies

Labs
Lab 1: Firewall Policy
Ex 1: Creating Firewall Objects and Rules
Ex 2: Policy Action
Ex 3: Configuring Virtual IP Access
Ex 4: Configuring IP Pools

(OPTIONAL)
Lab 2: Traffic Log
Ex 1: Enabling Traffic Logging

Lab 3: Device Policies


Ex 1: Enabling Device Identification

61

Classroom Lab Topology

62

FortiGate Multi-Threat Security Systems I

157

Firewall Authentication

Firewall Authentication

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-04-50005-E-20140120

Module Overview
Local User Authentication
Remote Server Authentication
User Groups
Authentication Rules
Disclaimer Page
Authentication Timeout
Two-Factor Authentication
LDAP Configuration and Testing
Radius Configuration and Testing
Monitoring Authenticated Users

FortiGate Multi-Threat Security Systems I

158

Firewall Authentication

Module Objectives
By the end of this module participants will be able to:
Describe the authentication mechanisms available in FortiGate devices
Create local users and user groups
Describe and configure two-Factor authentication
Configure and test Radius authentication
Configure and test LDAP authentication
Create authentication rules
Configure user disclaimers
Monitor active users

Authentication
It is the act of confirming the identity of aA
A
A
person or other entity
A
Once the person or entity have been A
identified, the network device applies the
right firewall policies and profiles to allow or
deny the access to each network resource

FortiGate Multi-Threat Security Systems I

159

Firewall Authentication

Local User Authentication


Local user authentication is based on user accounts stored locally on
the FortiGate unit
For each account, a user name and password is stored

Fortigate

Username
and
password

Remote Server Authentication


Accounts are stored in an external authentication server:
Administrators can create an account for the user locally and specify the server
to verify the password or
Administrators can add the authentication server to a user group
All users in that server become members of the group

1
OK

Username
and
password

Fortigate

Username
and
password

Remote Server

FortiGate Multi-Threat Security Systems I

160

Firewall Authentication

Single Sign On (SSO)


It refers to how users who have authenticated to a domain can
leverage an existing authentication event for firewall authentication
It allows users to enter their credentials only once and get access to
the network resources without being prompted to log in again
With a FortiGate device, SSO can be implemented using one of the
following two methods:
FSSO: It is a Fortinet proprietary communication framework for collecting and
forwarding user login events to FortiGate devices
RSSO: Radius Accounting packets are sent to the FortiGate device containing
login and logoff events

User Authentication via Remote Server


Single Sign On

RADIUS

LDAP

TACACS+

Directory
Services

RADIUS

FortiGate Multi-Threat Security Systems I

161

Firewall Authentication

User Groups Types

Paris

Firewall
User

Visitors

Guest User

Active
Directory

Radius
Server

FSSO

RSSO

User groups are assigned one of four group types: Firewall, Fortinet Single Sign On
(FSSO), Guest and Radius Single Sign On (RSSO)
Firewall user groups provide access to firewall policies that require authentication
FSSO and RSSO are used for Single Sign On Authentication

Authentication Rules
Authentication Rules are enabled
to require firewall authentication
They identify the users and user
groups that will be forced to
authenticate
They also define other aspects of
authentication, including services,
schedules, destination address,
profiles, logging and traffic
shaping

Authentication Rule
Destination Address
Users/ Groups
Services
Schedules
Logging
Security Profiles
Traffic Shaping

10

FortiGate Multi-Threat Security Systems I

162

Firewall Authentication

User Authentication Triggers


User authentication is triggered through any of the following supported
protocols:
HTTP
HTTPS
FTP
Telnet

All other services are not allowed until the user has first authenticated
successfully through one of the protocol above

11

Disclaimers
Displays the Terms and
Disclaimer Agreement page
before the user authenticates
User must accept the
disclaimer to proceed with the
authentication process
Once authenticated, the user
is directed to the original
destination

Policy
Disclaimer

12

FortiGate Multi-Threat Security Systems I

163

Firewall Authentication

Authentication Timeout

Timeout values specify how long an


authenticated connection can be idle
before the user must authenticate again
User Authentication Timeout controls
the firewall authentication timer
Default value is 5 minutes
SSL VPN Idle Timeout controls the
SSL VPN user authentication timer
Default value is also 5 minutes

13

Two-Factor Authentication (2FA)


2FA is strong authentication which improves security by preventing
attacks associated with the use of static passwords alone
2FA requires two independent ways of identifying a user:
Something you know, such as password or PIN
Something you have, such as a token or a PKI Certificate

Taken-based codes are good for one-time use only. So, even if it is
intercepted, it is already useless
One-Time Passwords (OTP) algorithms can be either time based or
event based:
Fortinet uses time, so it is important for the Fortigates system clock to be accurate

14

FortiGate Multi-Threat Security Systems I

164

Firewall Authentication

One-Time Password Delivery Methods


FortiToken: Every 60 seconds, the token generates a 6-digit code
based on a unique seed and GMT time:
Hardware FortiToken
FortiToken Mobile: available for iOS and Android

Email: The one-time password is sent to users configured email


address
SMS phone message: The one-time password sent through email to
the users SMS provider. The email address pattern varies by provider

15

How Taken-Based Authentication Works

Static Password + OTP

OTP Generator

Validation Server

Time sync with accurate NTP


Source

Validate Static Password

Algorithm

Algorithm

Time*

Same OTP Value

Time

Seed

Seed

Same Seed
Same Time

16

FortiGate Multi-Threat Security Systems I

165

Firewall Authentication

Adding a FortiToken

17

LDAP Review
The Lightweight Directory Access Protocol (LDAP) is an application
protocol for accessing and maintaining distributed directory information
services
The LDAP structure is similar to a tree that contains entries (objects) in
each branch:
Each entry has a unique ID, the Distinguished Name (DN)
Each entry also has attributes
Each attribute has a name and one or more values
The attributes are defined in a directory schema

18

FortiGate Multi-Threat Security Systems I

166

Firewall Authentication

LDAP Levels of Hierarchy


The LDAP tree usually tends to match the hierarchy of the customers
organization
The root represents the organization itself, as it is defined as Domain
Components (dc), such as:
dc=example, dc=com

Additional levels can include:


c (country)
ou (organizational unit)
o (organization)

User accounts or groups usually have element names such as uid


(user ID) or cn (common name)

19

LDAP Directory Tree Example

dc=example,dc=com
c=usa

c=france
ou= it

ou= hr
uid= apiquet

c=canada

uid: jsmith
email:
jsmith@example.com
objectClass:
inetOrgPerson

uid= abush

DN: uid= jsmith, ou=it, c=france, dc=example, dc=com


20

FortiGate Multi-Threat Security Systems I

167

Firewall Authentication

LDAP Configuration
Name of the
attribute that
identify each user

Parent branch
where all users
are located

Credentials for a
LDAP
administrator

21

Radius Overview
It is standard protocol that provides Authentication, Authorization and
Accounting (AAA) services
Access-Request
Access-Accept
or
Access-Reject
User

FortiGate
unit

or

Radius server

AccessChallenge

22

FortiGate Multi-Threat Security Systems I

168

Firewall Authentication

Radius Configuration
A Fortinet Vendor-Specific Attributes (VSA) dictionary is provided to
identify the Fortinet-proprietary RADIUS attributes
IP address or
FQDN of the
Radius server
The Secret must
match the Radius
servers secret key

23

Users
Select an external
authentication
server if the
password is not
stored locally

Enable two-factor
authentication

24

FortiGate Multi-Threat Security Systems I

169

Firewall Authentication

User Groups

Select the local


users that belong
to the group

Select the remote


authentication
servers that
contain users that
belong to the
group

25

Policy Configuration

26

FortiGate Multi-Threat Security Systems I

170

Firewall Authentication

User Monitor

Displays logged in users, groups, policy ID being


used, time left before inactivity timeout, source IP
address, amount of traffic sent and the
authentication method
Also used to terminate authentication sessions

27

LDAP Test Command


From the Fortigate CLI:
diagnose test authserver ldap <server_name> <user> <password>

Output sample
Fortigate# diagnose test authserver ldap Lab jsmith fortinet
authenticate 'jsmith' against 'Lab' succeeded!
Group membership(s) CN=SSLVPN,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
CN=TAC,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

28

FortiGate Multi-Threat Security Systems I

171

Firewall Authentication

RADIUS Test Command


From the Fortigate CLI:
diagnose test authserver radius <server_name> <scheme> <user> <password>

The supported schemes are:


chap
pap
mschap
mschap2

29

Labs
Lab 1: User Authentication
Ex 1: Identity-based Firewall Policy

30

FortiGate Multi-Threat Security Systems I

172

Firewall Authentication

Classroom Lab Topology

31

FortiGate Multi-Threat Security Systems I

173

SSL VPN

SSL VPN

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-05-50005-E-20140120

Module Overview
VPN definition
SSL VPN vs. IPSec VPN
Web-only mode
Tunnel mode
Port Forward mode
Split-Tunneling
Client Integrity Checking
SSL VPN portal
SSL VPN configuration
Access modes comparison
SSL VPN monitor
2

FortiGate Multi-Threat Security Systems I

174

SSL VPN

Module Objectives
By the end of this module participants will be able to:
Configure the different SSL VPN operating modes
Setup SSL VPN portals
Configure firewall policies and authentication rules for SSL VPN
Monitor SSL VPN connections

Virtual Private Networks (VPN)


A virtual private network (VPN) allows users to remotely access
network resources as if they were physically connected to the local
network
Used when there is the need to transmit private data across a public
network
Is an encrypted point-to-point connection, so it cannot be intercepted
by unauthorized users
Uses different security methods to ensure that only authorized users
can access the private network

FortiGate Multi-Threat Security Systems I

175

SSL VPN

FortiGate VPN
SSL VPN
Typically used to secure
web transactions
HTTPS link created to
securely transmit
application data
Client signs on through
secure web page (SSL
VPN portal) on the
FortiGate device

IPSec VPN

VPN

Well suited for networkbased legacy applications


Secure tunnel created
between two host devices
IPSec VPN can be
configured between
FortiGate unit and most
third-party IPSec VPN
devices or clients

SSL VPN Web-only Mode


1. Connection of a remote user to the SSL VPN
portal (HTTPS Web Site)
2. User authentication
3. SSL VPN portal presented
4. Access resources through
the SSL VPN portal via bookmarks
or the connection tool widgets

User traffic has the


internal interface IP
address as source

FortiGate Multi-Threat Security Systems I

176

SSL VPN

SSL VPN Tunnel Mode


1. Connection of a remote user to the SSL VPN
portal (HTTPS Web Site)
2. User Authentication
3. SSL VPN portal presented
4. Tunnel created
5. Access resources (IP traffic
encapsulated over HTTPS)

User traffic source IP


address is assigned by
the FortiGate unit

Tunnel Mode Split Tunneling


Split Tunneling disabled:
All IP traffic will be routed over the SSL VPN tunnel (including Internet traffic)

Split Tunneling enabled:


Only traffic destined to the private network will be routed over the SSL VPN tunnel

Internet

Internal
network

Tunnel mode

Split Tunneling
Enabled

Split Tunneling
disabled

FortiGate Multi-Threat Security Systems I

177

SSL VPN

Ways of Connecting SSL VPN Tunnel Mode


Using a browser:
The SSL VPN web portal will display the status of the SSL VPN ActiveX control
The SSL VPN portal must remain open for the tunnel to function

Using the standalone FortiClient SSL VPN client:


The client must remain running for the tunnel to function

Either way, a new virtual network adapter called fortissl is created in


the client PC:
The FortiGate assigns the adepter a virtual IP address from a pool of reserved
addresses

SSL VPN Client Port Forward Mode


Port Forward uses a Java applet to extend the amount of
applications supported by the Web-only mode
The applet listens on local ports on the user's computer. It encrypts
and forwards to the FortiGate unit all the traffic received
The user must configure the applications on the PC to point to the
local proxy instead of the application server
Application types:
PortForward: for generic port forward applications
Citrix: for Citrix server web interface access
RDPNative: for Microsoft Windows native RDP client over port forward

10

FortiGate Multi-Threat Security Systems I

178

SSL VPN

Client Integrity Checking


SSL VPN gateway checks client system
Only possible with client running Microsoft Windows
Detects client security applications recognized by the Windows
Security Center (antivirus and firewall)
Alternatively, Custom Host Checks can be created using application
Globally Unique IDentifiers (GUID)
Determines the state of the applications (active/inactive, current
version number and signature updates)

11

Client Integrity Checking Configuration


Relies on external vendors to ensure client integrity
Checks if required software is installed on the connecting PC,
otherwise the SSL VPN connection attempt is rejected
CLI-only configuration:
config vpn ssl web portal
edit <portal_name>
set host-check {av|av-fw|custom|fw}
set host-check-interval <seconds>
end

12

FortiGate Multi-Threat Security Systems I

179

SSL VPN

Configuration Steps
1.
2.
3.
4.
5.

Configure the SSL VPN general settings


Set up user accounts and groups for the SSL VPN clients
Configure the web portals to define user access
Create the Firewall Policy with the Authentication Rules
Create Firewall Policies from/to the SSL VPN interface (only for
Tunnel mode)
6. Add routing to ensure that traffic to the users can reach the SSL VPN
interface (only for Tunnel mode)

13

Step 1: SSL VPN General Settings

Certificate presented to clients.


Use a certificate issued by a
Certificate Authority (CA) to
avoid web browser warnings
If set to High, connections with
clients that cannot meet this
standard will fail
Tunnel session timeout
Web portal port number

14

FortiGate Multi-Threat Security Systems I

180

SSL VPN

SSL VPN Policy De-Authentication


Firewall policy authentication session is associated with SSL VPN
tunnel session
Forces expiration of firewall policy authentication session when
associated SSL VPN tunnel session has ended
Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a
different user after the initial user terminates the SSL VPN tunnel session

15

Step 2: User Accounts and Groups


SSL VPN supports the following authentication methods:
Local
LDAP
Radius
TACAC+

Additionally, two-factor authentication is also supported


Username and Password (one factor)

+
Token Code (two factor)

16

FortiGate Multi-Threat Security Systems I

181

SSL VPN

Step 3: SSL VPN Portal


Web page displayed after the client has logged into the SSL VPN
Includes widgets to access different SSL VPN functionalities (such
as bookmarks and connection tools)
Software download option for Tunnel mode

17

SSL VPN Portal Configuration


Enable Tunnel mode

Enable Split Tunneling


Virtual IP addresses to be
assigned to Tunnel mode
users
Enable Port Forward mode

Control number of concurrent


sessions per user

18

FortiGate Multi-Threat Security Systems I

182

SSL VPN

SSL VPN Portal Example

19

Step 4: Firewall Policy for SSL VPN Authentication


All the three SSL VPN modes require a firewall policy for
authentication
Tunnel mode requires additional policies to allow traffic to/from the
SSL VPN interface

20

FortiGate Multi-Threat Security Systems I

183

SSL VPN

Firewall Policy for SSL VPN Authentication

21

Step 5: Firewall Policies for Tunnel Mode

22

FortiGate Multi-Threat Security Systems I

184

SSL VPN

Step 6: Routing for Tunnel Mode


Subnet that contains the SSL VPN IP
addresses for Tunnel mode

23

SSL VPN Monitor


A Subsession row below a user
means that is Tunnel mode

SSL VPN IP address for


the user fortinet

Web-only user

24

FortiGate Multi-Threat Security Systems I

185

SSL VPN

SSL VPN Access Modes

Web-only

Tunnel

Port Forward

No client software
required (web browser
only)

Uses FortiGate-specific
client downloaded to PC
(ActiveX or Java applet)

Java applet works as a


local proxy to intercept
specific TCP port traffic
and encrypt it using SSL

Reverse proxy rewriting


of HTTP, HTTPS, FTP,
SAMBA (CIFS)

Requires admin/root
privilege to install
network tunnel adaptor

Java applets for RDP,


VNC, TELNET, SSH

Applet is installed without


admin/root privileges
Client Applications must
point to the Java applet

25

Labs
Lab 1: SSL VPN
Ex 1: Configuring SSL VPN for Web-only access
Ex 2: Configuring SSL VPN for Tunnel mode

26

FortiGate Multi-Threat Security Systems I

186

SSL VPN

Classroom Lab Topology

27

FortiGate Multi-Threat Security Systems I

187

IPSec VPN

IPSec VPN

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-06-50005-E-20140120

Module Overview
IPSec VPN Overview and Terminology
Internet Key Exchange
IKE Phase 1
IKE Phase 2
Diffie-Hellman
Quick Mode Selectors
Policy-based VPN
Route-based VPN
Configuring Point-to-point VPNs
VPN Monitor

FortiGate Multi-Threat Security Systems I

188

IPSec VPN

Module Objectives
By the end of this module participants will be able to:
Define the architectural components of IPSec VPN
Identify the phases of Internet Key Exchange (IKE)
Identify and compare route-based and policy-based VPNs
Deploy a site-to-site VPN between two FortiGate devices
Monitor VPN connections

Virtual Private Networks (VPN)


A virtual private network (VPN) allows users to remotely access
network resources as if they were physically connected to the local
network
Used when there is the need to transmit private data across a public
network
Is an encrypted point-to-point connection, so it cannot be intercepted
by unauthorized users
Uses different security methods to ensure that only authorized users
can access the private network

FortiGate Multi-Threat Security Systems I

189

IPSec VPN

IPSec VPN
Suite of protocols for securing IP communications
by authenticating and/or encrypting packets
Private network

Solves requirements for:

Data
confidential

Authentication
Data has
integrity

Data Integrity
Data Confidentiality
Sender
authenticated
5

IPSec VPN Overview


IPSec VPN operates at the network layer (layer 3)
Encryption occurs transparently to the upper layers
IP packets encapsulated within IPSec packets
Applications do not need to be designed to use IPSec

IPSec VPN can protect upper layer protocols (such as TCP) but
the complexity, overhead and bandwidth required for the
exchange is increased

FortiGate Multi-Threat Security Systems I

190

IPSec VPN

Diffie-Hellman
Diffie-Hellman is a key-agreement protocol to allow a pair of peers to
communicate over an unsecure channel and independently calculate a
shared secret key using only public keys
The shared secret key is then used to calculate keys for symmetric
encryption algorithms (such as 3DES, AES) and symmetric
authentication (HMACs)
With Perfect Forward Secrecy (PFS) a new common secret key is
recalculated each time the phase 2 session key expires

Internet Key Exchange


Internet Key Exchange (IKE) allows the parties involved in a
transaction to set up their Security Associations (SAs)
SAs are the basis for building security functions into IPSec
In normal two-way traffic the exchange is secured by a pair of SAs
IPSec administrators decide the encryption and authentication algorithms that can
be used in the exchange

IKE uses two distinct phases:


Phase 1
Phase 2

FortiGate Multi-Threat Security Systems I

191

IPSec VPN

Phase 1
IKE phase 1 performs the following:
Authenticates and protects the parties involved in the IPSec transaction
Can use pre-shared keys or digital certificates (RSA signature)

Negotiates a matching IKE SA policy between the computers to protect the


exchange
Performs a Diffie-Hellman exchange
The keys derived from this exchange are used in phase 2

Sets up a secure channel to negotiate phase 2 parameters

Two possible modes:


Main mode: 6 packets are interchanged
Aggressive mode: 3 packets are interchanged

Phase 2
IKE phase 2 performs the following:
Negotiates IPSec SA parameters
Protected by existing IKE SA

Renegotiates IPSec SAs regularly to ensure security


Optionally, additional Diffie-Hellman exchange may be performed

There can be more than one phase 2 per each phase 1


One mode:
Quick mode

10

FortiGate Multi-Threat Security Systems I

192

IPSec VPN

Quick Mode Selectors


Are used to identify and direct traffic to the appropriate phase 2 in
cases where multiple phase 2s exist
Allow SAs with different granularities
Similar to firewall policies:
VPN traffic that does not match the selectors is dropped

Selectors support:
Destination and source IP addresses
Protocol number, and source and destination ports

In point-to-point VPNs, the selectors configuration at both ends must


mirror each other:
The source at one end must be the destination at the other end

11

Types of FortiGate VPN configurations


Route-based (also known as interface-based):
Creates a virtual IPSec network interface:
Traffic crossing the tunnel must be routed to the virtual IPSec interface

One firewall policy (with the action ACCEPT) is usually required per direction

Policy-based (also known as tunnel-based):


One firewall policy (with the action IPSEC) is required to allow connections bidirectionally
Hidden in the GUI by default. It can be enabled with the command:
config system global
set gui-policy-based-ipsec enable
end
12

FortiGate Multi-Threat Security Systems I

193

IPSec VPN

Policy-based Versus Route-based


Feature

Policy-based

Route-based

FortiGate operation
modes supported

NAT and transparent modes

Only NAT mode

L2TP-over-IPSec

Yes

No

GRE-over-IPSec

No

Yes

Routing Protocols

No

Yes

Number of policies
per VPN

One policy controls connections A separated policy is


in both directions
required for connections
in each direction

Generally speaking, route-based VPNs offer more control and


flexibility

13

Configuration
Step 1: Configure the phase 1
Step 2: Configure one or more phases 2
Step 3: Create the firewall policies
Step 4: Route the traffic to the IPSec interface (only for routebased VPNs)

14

FortiGate Multi-Threat Security Systems I

194

IPSec VPN

Step 1: Defining Phase 1 Parameters

Enable it to select routebased VPN. Disable it to


select policy-based VPN

15

Step 2: Defining Phase 2 Parameters

16

FortiGate Multi-Threat Security Systems I

195

IPSec VPN

Step 3: Firewall Policy for Policy-based VPN

17

Step 3: Firewall Policy for Route-based VPN

The name of the IPSec


interface matches the
name of the phase 1

18

FortiGate Multi-Threat Security Systems I

196

IPSec VPN

Step 4: Routing the Traffic (only for Route-based VPN)


IP address
at the
remote site

IPSec
Interface

19

IPSec VPN Monitor


Monitor activity on IPSec VPN tunnels
Stop and start tunnels
Display address, proxy IDs, timeout information

Green arrow indicates that the negotiations were successful and


tunnel is UP
Red arrow means tunnel is DOWN or not in use

20

FortiGate Multi-Threat Security Systems I

197

IPSec VPN

IPSec VPN Monitor Example

Key life
remaining time
Phase 1
name

Local Quick
Mode
Selector

Status
Remote
Quick Mode
Selector

21

Labs
Lab 1: IPSec VPN
Ex 1: Site to Site IPSec VPN

22

FortiGate Multi-Threat Security Systems I

198

IPSec VPN

Classroom Lab Topology

23

FortiGate Multi-Threat Security Systems I

199

Antivirus

Antivirus

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-07-50005-E-20131015

Module Overview
Terminology
Heuristic Scanning
Sandboxing
Botnet Connections
Proxy-Based scanning
Flow-Based scanning
Conserve mode
Memory Diagnostics

and more
2

FortiGate Multi-Threat Security Systems I

200

Antivirus

Module Objectives
By the end of this module participants will be able to:
Identify conserve mode conditions and AV system behavior
Define the virus scanning techniques used on the FortiGate unit
Differentiate between proxy-based and flow-based virus scanning
Configure virus scanning
Update antivirus signature databases through FortiGuard services
Set up Grayware and Heuristic scanning
Submit unknown virus samples to Fortinet
Describe the virus scanning order of operations

Terminology: Malware Classifications


Malware
Umbrella term for software that makes unauthorized changes to a
computer

Virus
Infects the computer and spreads on its own
User interaction is not required
o Behavior is modeled after a biological virus
o Size: very small

Grayware
User interaction is required for installation
Often comes bundled with installation of free software
o Size: highly variable (usually small)
4

FortiGate Multi-Threat Security Systems I

201

Antivirus

Types of Malware: Virus Types


Trojan
Spread to other hosts
Does not replicate on the same host (multiple infections still possible)

Worm
Spread to other hosts
Replicates on the same host, repeatedly

Types of Malware: Evasion Techniques


Encrypted
Payload is encrypted

Polymorphic
Payload uses changing encryption with each infection
Requires polymorphic engine as part of payload

Metamorphic
Rewrites payload with each infection
Requires metamorphic engine as part of payload

FortiGate Multi-Threat Security Systems I

202

Antivirus

Types of Malware: Behavior


Spyware
Tracks user website behavior

Adware
Automatically injects advertisements in order to generate revenue

Ransomware
Restricts user access and demands payment to remove

Rootkit
Obtains root admin access

Keylogger
Capture keystrokes

Mass Mailer
Sends out large volumes of emails
7

Antivirus
Detect and eliminate viruses,
worms, Trojans and spyware in realtime
Stop threats before they enter the
network

Antivirus

Scans HTTP and FTP traffic as well


as SMTP, POP3 and IMAP and
other protocols
Internet Content Adaption Protocol
(ICAP) support
FortiGate unit acts as ICAP client to
communicate with ICAP servers that
the FortiGate unit can utilize for
offloading AV scanning services
First enable in CLI:
conf sys global
set gui-icap enable

then configure under Security


Profiles > ICAP

FortiGate Multi-Threat Security Systems I

203

Antivirus

Heuristics scanning
Virus-like attribute
+ Virus-like attribute
+ Virus-like attribute
> Heuristic threshold
Heuristic scanning tests for virus-like or
dangerous behavior
Virus-like attributes totaled. If greater than a
threshold, the file is marked as suspicious
Possibility of false positives

Suspicious

Heuristics scanning: Configuration


# config antivirus heuristic
# set mode [pass|block|disable]
# end

Pass
Enable Heuristic scanning and pass detected files

Block
Enable Heuristic scanning and block detected files

Disable
Turn off Heuristic scanning

10

FortiGate Multi-Threat Security Systems I

204

Antivirus

Grayware scanning
# config antivirus setting
# set grayware[enable|disable]
# end

Enable or Disable only


Acts as part of normal virus scan
Takes action as if infected with virus

11

Sandboxing

Files detected by Heuristics as suspicious can be submitted for


Sandboxing
FortiGuard or FortiSandbox

Sandboxing a file is when it is executed and monitored within a


protected environment to determine if it is a new kind of virus or just a
software install
Driver install modifies the registry and/or the system files

Helps detect Zero day vulnerabilities and provide data for the
FortiGuard AV analysts
12

FortiGate Multi-Threat Security Systems I

205

Antivirus

Botnet Connections

FortiGuard maintains a list of known Botnet IP addresses


Connections to known Botnet server IPs will be dropped
Botnet list periodically updated with FortiGuard updates
Requires valid contract
Can view database version in CLI

diag autoupdate version

13

Proxy-Based scanning
Antivirus proxy buffers
the file as it arrives
Once transmission is
complete, virus
scanner examines the
file
Higher detection and
accuracy rate
Comfort Clients can be
used to avoid timeouts
Multiple Database
options
14

FortiGate Multi-Threat Security Systems I

206

Antivirus

Proxy-Based scanning: File Size vs detection rate


Most malware is small
Altering file size does not greatly impact security
Altering file size can greatly impact memory levels
10mb default size is to achieve certification
1mb 2mb 3mb 4mb 5mb 6mb 7mb 8mb 9mb 10mb
exploit
mass-mailer
phish
spyware
trojan
virus
worm

99.83% 99.95% 99.97% 99.97% 99.98% 99.98% 99.99% 100%

100%

100%

100%

99.62% 99.87% 100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

95.08% 97.97% 98.88% 99.47% 99.76% 99.83% 99.89% 99.91% 99.94% 99.95%

100%

97.52% 99.24% 99.62% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.98%

100%

98.27% 99.37% 99.63% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.99%

100%

99.02% 99.65% 99.74% 99.86% 99.89% 99.92% 99.94% 99.94% 99.95% 99.96%

100%

15

Proxy-Based scanning: Scan order (Not Oversized)


Buffer the File until Eof or
Oversize limit

START

Larger then
oversize?
No

Is an Archive?

Yes

Block the
file/Email

No

No

Virus Scan

Yes

Uncompress size
Limit?

Infected

Clean

Grayware
Enabled?

Pass the
file/Email

Grayware Scan
Clean

No

Heuristic
Enabled?

Infected

Yes

Block
Yes

No

Heuristic
Scan
Clean

Infected

Action?
Pass

16

FortiGate Multi-Threat Security Systems I

207

Antivirus

Proxy-Based Scanning: Scan order (Oversized)


Buffer the File until Eof or
Oversize limit

Larger then
oversize?

START

Yes

Oversize
action?
Block

Pass

Block the
file/Email

Pass the
file/Email

17

Proxy-Based Scanning: Full Decision Tree


Buffer the File until Eof or
Oversize limit

Larger then
oversize?

START

Yes

Oversize
action?
Block

Is an Archive?

Yes

Pass

Block the
file/Email

No

No

Virus Scan

Yes

Uncompress size
Limit?

Infected

Clean

Grayware
Enabled?

Pass the
file/Email

Grayware Scan
Clean

No

Heuristic
Enabled?

Infected

Yes

Block
Yes

No

Heuristic
Scan
Clean

Infected

Action?
Pass

18

FortiGate Multi-Threat Security Systems I

208

Antivirus

Flow-Based Scanning

File is scanned on a
packet-by-packet
basis as it passes
through the FortiGate
unit
Faster scanning, but
lower accuracy rate
Difficulty in catching
virus variants

Only available on
certain models
Non-proxy scanning
19

Flow-Based Scanning: Scan order


Pass the
file/Email

Clean

Virus Scan

Normalize
Packet

START

Infected

Block the
file/Email

Normalization is required to get at the real packet contents


Headers removed (tunneling, GRE, etc)
Reassembled (if fragmented)

Virus scanning within an archive is not possible


Requires entire file to decompress (proxy-based only)

Grayware: some signatures included in Flow-Database


Heuristic (proxy-based only)
20

FortiGate Multi-Threat Security Systems I

209

Antivirus

Compressed File scanning


Identification of archive types can usually be done with just file header
information
Proper decompression takes entire file
Password protected archives cannot be decompressed
Archive is unpacked and the contents are scanned
Scanning inside nested archives is supported (default 12 layers)
# config antivirus service <service>
# set uncompnestlimit <2-100>
# end

21

Proxy Scanning Time limit


AV Scanning on the local PC is not limited by time
User can wait until scan is finished.

Proxy delays traffic


30 seconds are allowed for AV scanning to complete
Watchdog will interrupt scan process, traffic will pass (possible timeout has
already occurred)
Entry goes into crashlog, Scanunit crashed Signal 14

22

FortiGate Multi-Threat Security Systems I

210

Antivirus

Virus Definition Databases

Regular

Extended

Smart Update technology

Flow-Based

Only Databases that are enabled for use on a


Firewall policy will update
Extreme

23

Virus Definition Databases: Updating


Manually download definitions from Support site and upload

Automatically

24

FortiGate Multi-Threat Security Systems I

211

Antivirus

Virus Definition Databases: Proxy Database selection


Default is to scan using regular in the wild database
set proxy database in CLI
# config antivirus setting
# set default-db [normal|extended|extreme]
# end

Regular database available on all models


Extended database available on most models
Extreme database only available on a select few models

25

Submitting Unknown Viruses


Sometimes a virus may go undetected because
it is not in the signature database
To submit a virus go to:
http://www.fortiguard.com/antivirus/virus_scanner.html

26

FortiGate Multi-Threat Security Systems I

212

Antivirus

Investigating Virus Infections


Sometimes viruses will get through because the
proper antivirus scan options are not enabled
FortiGuard Subscription Service contains information on
which database a virus is in

27

Antivirus Profiles

28

FortiGate Multi-Threat Security Systems I

213

Antivirus

SSL Inspection Options

29

Logging and Monitoring

30

FortiGate Multi-Threat Security Systems I

214

Antivirus

Conserve mode: What is it?


What is Conserve mode?
System self protection measure when facing local resource exhaustion
When entering conserve mode the FortiGate unit activates protection measures in
order to recover exhausted resources
Once enough resources are recovered, the system leaves the conserve mode
state and releases the protection measures

Search conserve mode at: http://kb.fortinet.com


KB Article IDs: FD33103, 11076, 10209

31

Conserve mode: Different Types


3 kinds of Conserve mode
Kernel
Not enough memory available for the operating system (kernel) to do its job
No set memory level

System
Overall high memory situation
Occurs when system memory hits around 80% (exits at 70%)

Proxy
Occurs when proxy runs out of available connects
Max proxy connections varies by device model

Impact (configurable for System&Proxy)


Only New sessions are subject to conserve mode rules
Fail Open or Closed

32

FortiGate Multi-Threat Security Systems I

215

Antivirus

Conserve mode: av-failopen


av-fail-open is a CLI setting that governs FortiGate
behavior for UTM inspected traffic when the device enters
System Conserve mode (~80% Memory)
config system global
set av-failopen {idledrop | off | one-shot | pass}
end

idledrop Drops all idle connections on the proxy


off All new sessions with UTM scanning enabled are not passed
one-shot attempt UTM scanning on all new sessions
pass(default) All new sessions with UTM scanning enabled
pass without inspection
33

Conserve mode: av-failopen-session


av-failopen-session is a CLI setting that governs
FortiGate behavior for UTM inspected traffic when the
device enters Proxy Conserve mode (0 available connections
on the proxy)
config system global
set av-failopen-session {enable | disable}
end

enable Use behavior from av-failopen setting


disable(default) block all further sessions, until
connections become available on the proxy

34

FortiGate Multi-Threat Security Systems I

216

Antivirus

Conserve mode: Kernel Conserve mode


Kernel Conserve mode behavior is not
configurable.
FortiGate attempts to clear up memory by letting go of
memory that is not in use, but has not been released yet
All idle connections on proxies are dropped
New connections pass without inspection (not
configurable)

35

Conserve mode: Log Behavior


Kernel and System conserve mode occur due to lack of overall
memory resources.
Event recorded in memory
Log can not be created until the device leaves conserve mode

Proxy conserve mode is a depletion of available connections, but not


memory
Log created immediately

Proper monitoring of vital infrastructure components is essential


SNMP, etc

36

FortiGate Multi-Threat Security Systems I

217

Antivirus

Memory Diagnostics: get sys perf stat


# get sys perf stats
CPU states: 0% user 0% system 0% nice 100% idle
CPU0 states: 0% user 0% system 0% nice 100% idle
CPU1 states: 0% user 0% system 0% nice 100% idle
CPU2 states: 0% user 0% system 0% nice 100% idle
CPU3 states: 0% user 0% system 0% nice 100% idle
Memory states: 57% used
Average network usage: 21 kbps in 1 minute, 17 kbps in 10 minutes, 92 kbps
in 30 minutes
Average sessions: 114 sessions in 1 minute, 130 sessions in 10 minutes, 176
sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0
sessions per second in last 10 minutes, 0 sessions per second in last 30
minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 10 days, 0 hours, 17 minutes

37

Memory Diagnostics: diag hard sys shm


# diag hard sys shm
SHM counter:
25769
SHM allocated:
32575488
SHM total:
1629380608
conservemode:
0
shm last entered:
n/a
system last entered: n/a
SHM FS total: 1665851392
SHM FS free:
1631911936
SHM FS avail: 1631911936
SHM FS alloc:
33939456

1 Proxy
2 System
3 Both

38

FortiGate Multi-Threat Security Systems I

218

Antivirus

Memory Diagnostics: diag fire iprope state


# diag fire iprope state
av_break=pass/off av_conserve=off Alloc: iprope=167 shaper=5 user=0 nodes=4 pol=10
app_src=0 auth_logon=0 auth_info=0
av_service=http fail open act=off
av_service=imap fail open act=off
av_service=pop3 fail open act=off
av_service=smtp fail open act=off
av_service=ftp
fail open act=off
av_service=im
fail open act=off
av_service=p2p
fail open act=off
av_service=nntp fail open act=off
av_service=https fail open act=off
av_service=imaps fail open act=off
av_service=pop3s fail open act=off
av_service=smtps fail open act=off
av_service=ftps fail open act=off
av_service=cifs fail open act=off
total group number = 12 act=2
00100012 00100003 00000003 00000004 00100004 00000005 00000006 00000007 0010000a 0010000c
0010000e 0010000f

off not in Kernel Conserve mode


pass Kernel Conserve mode

39

Memory Diagnostics: diag hard sys slab


# diag hard sys slab
slabinfo - version: 1.1 (SMP)
kmem_cache
108
108
tcp6_session
0
0
ip6_session
0
0
sctp_session
0
0
tcp_session
380
628
ip_session
414
600
ip6_mrt_cache
0
0
fib6_nodes
118
118
ip6_dst_cache
60
60
ndisc_cache
34
34
ip_mrt_cache
0
0
tcp_tw_bucket
384
510
tcp_bind_bucket
672
672
tcp_open_request
624
624

Google unix slab for more information


216
928
864
992
960
928
384
64
320
224
352
224
32
160

6
0
0
0
122
130
0
2
5
2
0
30
6
26

6
0
0
0
157
150
0
2
5
2
0
30
6
26

1
1
2
1
1
1
1
1
1
1
1
1
1
1

0 :
0 :
0 :
0 :
35 :
20 :
0 :
0 :
0 :
0 :
0 :
0 :
0 :
0 :

252
124
124
124
124
124
124
252
124
252
124
252
252
252

126
62
62
62
62
62
62
126
62
126
62
126
126
126

40

FortiGate Multi-Threat Security Systems I

219

Antivirus

Memory Diagnostics: diag sys top-summary


# diag sys top-summary
CPU [||||||||||
Mem [||||||||||||||||||||||
Processes: 20 (running=1 sleeping=100)
PID
* 594
44
50
51
52
53
54
60
61
64
614
68
74
75
80

RSS
16M
22M
12M
11M
15M
11M
51M
47M
4M
12M
343M
11M
11M
11M
11M

^CPU% MEM%
0.0 0.8
0.0 1.1
0.0 0.6
0.0 0.6
0.0 0.8
0.0 0.6
0.0 2.6
0.0 2.4
0.0 0.2
0.0 0.6
0.0 17.4
0.0 0.6
0.0 0.6
0.0 0.6
0.0 0.6

FDS
28
11
89
9
54
5
19
1465
43
7
71
5
7
7
8

TIME+
00:02.30
00:23.44
00:00.64
00:00.10
21:23.55
00:00.20
02:09.40
01:44.27
00:00.70
00:00.00
00:24.66
00:00.00
00:00.20
00:00.00
00:00.00

]
]

25.0%
55.0%

1101M/1975M

RSS Real Set Size

NAME
scanunitd [x4]
cmdbsvr
zebos_launcher [x12]
uploadd
miglogd [x2]
kmiglogd
httpsd [x7]
proxyd [x7]
imd
wad_diskd
ipsmonitor [x7]
getty
merged_daemons
fnbamd
fclicense

Memory usage

FDS File Descriptors


# open files
# Times the process has
forked

41

Labs
Lab 1: Antivirus Scanning
Ex 1: Antivirus Testing

42

FortiGate Multi-Threat Security Systems I

220

Antivirus

Classroom Lab Topology

43

FortiGate Multi-Threat Security Systems I

221

Email Filtering

Email Filtering

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-08-50005-E-20131015

Module Overview
The Building blocks of Email
Email Filtering Methods
Email Filtering Actions
Email Filtering Order of Operations
Email Filtering and Virus Scanning
Submitting False-Positives through FortiGuard
Creating an Email Filter Profile
Viewing Email Filtering Log Messages
Deployment strategies

FortiGate Multi-Threat Security Systems I

222

Email Filtering

Module Objectives
By the end of this module participants will be able to:
Identify the email filtering methods used on a FortiGate device
Create Firewall policies for Spam detection and email scanning using Email Filter
profiles
Modify inspection rules in order to black or white list emails
State available inspection options for various transmission protocols
Describe the flow of email through various transmission protocols
Use logs to view and monitor email filtering activity and events

Email Basics Overview: Abbreviations & Terminology


SMTP Simple Mail Transfer Protocol (RFC 821)
ESMTP Extended Simple Mail Transfer Protocol (RFC 5321)
POP Post Office Protocol (RFC 1939 POP3)
IMAP Internet Message Access Protocol (RFC 2060 IMAP4rev1)
MTA Mail Transfer Agent (Email Server)
MAA Mail Access Agent (User Authentication & Mail Retrieval)
MUA Mail User Agent (Software like Thunderbird)
MX Record Mail Exchange Record (DNS lookup)
Mail Relay Intermediate Mail server
Open Relay Mail server with no restrictions on destination emails
4

FortiGate Multi-Threat Security Systems I

223

Email Filtering

The building blocks of Email: SMTP


Designed to get a message from point A to point B, without knowing
anything about point B
Port 25

Clear text protocol


Best effort protocol (very little is required)
Only a destination

3 Digit response codes to command requests


2xx indicates the command was successful
3xx command incomplete (authentication is multiple steps)
4xx temporary failure of some kind (situation may fix itself, try again later)
5xx permanent failure (Human intervention is required to change this)

SMTPS is SMTP encapsulated in SSL encryption on port 465


5

The building blocks of Email: MX Records


Used to resolve Mail domains

>nslookup

Can contain hostnames or IPs

> server 4.2.2.3

Each entry contains a preference/priority (lowest first)

Default Server: [4.2.2.3]


Address: 4.2.2.3
> Set q=a+aaaaa
> google.com
Server: [4.2.2.3]
Address: 4.2.2.3

> nslookup
> server 4.2.2.3
Default Server: [4.2.2.3]
Address: 4.2.2.3
> set q=mx
> google.com
Server: [4.2.2.3]
Address: 4.2.2.3
Non-authoritative answer:
google.com
MX preference
google.com
MX preference
google.com
MX preference
google.com
MX preference
google.com
MX preference

=
=
=
=
=

50,
10,
20,
40,
30,

mail
mail
mail
mail
mail

exchanger
exchanger
exchanger
exchanger
exchanger

=
=
=
=
=

alt4.aspmx.l.google.com
aspmx.l.google.com
alt1.aspmx.l.google.com
alt3.aspmx.l.google.com
alt2.aspmx.l.google.com

Non-authoritative answer:
Name:
google.com
Addresses:
2001:4860:4007:800::1005
74.125.224.164
74.125.224.169
74.125.224.168
74.125.224.165
74.125.224.161
74.125.224.163
74.125.224.167
74.125.224.162

FortiGate Multi-Threat Security Systems I

224

Email Filtering

The building blocks of Email: POP & IMAP


Protocols are used to receive/check email
Can not be used to send email

POP is very basic protocol


Download & delete
data stored on client (server only has Inbox)

IMAP is more robust


Create & delete mailboxes (server side folders)
Synchronize folders (inbox, sent items, etc)
Designed for accessing the same email from multiple locations

Secure versions are encapsulated in SSL and run on different ports


POP3S (995) IMAPS (993)
7

Email Basics: Overview of Message Flow

4
1

2
6
;; ANSWER SECTION:
example3.com
3600
example3.com
3600

IN
IN

MX
MX

50 relay.example2.net
100 mail.example3.com

;; ANSWER SECTION:
example3.com
3600
example3.com
3600

IN
IN

MX
MX

50 mail.example3.com
100 relay.example2.net

FortiGate Multi-Threat Security Systems I

225

Email Filtering

Spam Actions
Tag to add a custom
phrase/word to subject line
or a MIME header and
value to body of an email
message for use in back
end or client filtering
Discard to immediately
drop the SMTP connection
if spam is detected,
sending a 5xx response

Tag

Discard

Subject: Free Stuff

Subject: [SPAM] Free Stuff

Email Filtering
FortiGate unit can detect and
manage spam email
Email filtering
SPAM?

10

FortiGate Multi-Threat Security Systems I

226

Email Filtering

Email Filtering Methods


The FortiGate unit uses a number of techniques to help detect spam
Some use the FortiGuard Antispam service (requires a subscription)
IP, Email, URL, Checksum

Others use DNS servers or filters created on the device


HELO DNS
Return Email

Manually configured options


Black/White listed IPs
Black/White listed Emails (py IP, by name: domain or email)
MIME Headers
Banned word

11

Email Filtering Methods: FortiGuard IP


Connecting IP address is checked
FortiGuard is a reputation database
IP behavior is tracked by volume (historically)
More queries about an IPs activity to the FortiGuard network makes the
reputation worse
IPs have a reputation score, the higher the better
1 is permanently black listed (score will not change, without FortiGuard interaction)
3 or less is considered spam

12

FortiGate Multi-Threat Security Systems I

227

Email Filtering

Email Filtering Methods: FortiGuard URL and Email Address

Visit our web site at www.acme.com to


learn more about this great offer or
send an email to deals@acme.com.

What language or character set is the email in?


KB Article ID: FD32502

13

Email Filtering Methods: FortiGuard Email Checksum

The FortiGate unit


sends a hash of
the email message
to the FortiGuard
Antispam Service
FortiGuard
Antispam Service
compares the hash
received to hashes
of known spam
messages

Our online
pharmacy offers
great prices on
all your
prescription
medications.

hash

14

FortiGate Multi-Threat Security Systems I

228

Email Filtering

Email Filtering Methods: Black/White List (IP)


The FortiGate unit compares the IP address of the sender of an
email message to the IP addresses specified in the email filter
profile
An administrator can add to or edit the IP addresses and configure the action
to take

Possible actions on a match


Spam (use configured spam action)
Clear (consider as not Spam)
Reject (SMTP Only, force 5xx response regardless of spam action)

15

Email Filtering Methods: Black/White List (email)


The FortiGate unit
compares the email
address of the sender of
an email message to the
email addresses specified
in the email filter profile

From: bsmith@acme.com

Mark as Spam
Mark as Clear

An administrator can add


to or edit the email
addresses and configure
the action to take
Wild card and regular
expressions can be used
to define the email
address

16

FortiGate Multi-Threat Security Systems I

229

Email Filtering

Email Filtering Methods: HELO DNS


220 mail.server.com ESMTP service ready
EHLO server.example.com
DNS resolves ?
250- mail.server.com says hello
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250-8BITMIME
250-SIZE 54525952

Confirms that
client EHLO
response resolves
to an IP address

17

Email Filtering Methods: Return Email DNS


Confirms that sending email domain from the reply-to field resolves to
an IP Address
Domain the email gets sent to, should resolve to an IP

Does NOT perform any kind of comparison to senders IP

18

FortiGate Multi-Threat Security Systems I

230

Email Filtering

Email Filtering Methods: Banned Word


Banned words
FortiGate unit blocks
email based on words or
patterns in the message
A weight is assigned to
any banned words in the
message
If threshold is exceeded,
the message is marked
as spam
Define using Wildcards
and regular expressions
Patterns only count
towards total score once

Let us fill all your prescription


drugs. Visit our online pharmacy
for great prices on prescription
medications. We offer the widest
selection of popular drugs.

Drugs
Score=10

Pharmacy
Score=5

Prescription
Score=5

Threshold=18
10 +5 +5 =20

19

Email Filtering Methods: MIME Headers


The FortiGate unit can check the MIME header information of
incoming email messages
If a match is found in the header list configured on the device, the
corresponding action is taken

Configured through CLI only


# config spamfilter mheader
# edit (id)
# config entries
# edit (entry_id)
# set action [spam|clear]
# set fieldbody (pattern)
# set fieldname (pattern)
# end

20

FortiGate Multi-Threat Security Systems I

231

Email Filtering

Email Filtering Methods: DNSBL and ORDBL


The FortiGate unit can compare the IP address or domain
name of incoming email message against third-party DNSBL
and ORDBL lists
Match IP addresses or domain names of known spammers

Configured through CLI only


# config spamfilter dnsbl
# edit [id]
# config entries
# edit [entry_id]
# set action [spam|reject]
# set server [destination]
# set status [enable|disable]
# end

21

Checking all MTAs an email passed through


IP based checks only look at the connecting IP of the session to
determine if email is blacklisted (default)
Every time an email passes through a mail server an entry should be
added to the Received MIME header (depends on mailserver)
FortiGate can walk through receive header and check all IPs
New Servers should be added to the beginning of the list

FortiGate can walk through receive header and check all IPs
Can cause issues if DNS is slow (emails can pass through multiple servers)
# config spamfilter profile
# edit <profile_name>
# config [pop|imap|smtp]
# set hdrip [enable|disable(default)]
# end
22

FortiGate Multi-Threat Security Systems I

232

Email Filtering

The Received MIME Header


Normal contents can include:
Date/time, ID, Transmitting Mail info (EHLO & IP), Receiving Mail info (Name and IP),
TLS information, Protocol
Exact format varies based on server software and configuration
Received: from mail.fortinet.com (192.168.221.64) by
FGT-EXCH-CAS212.fortinet-us.com (192.168.221.212) with Microsoft SMTP Server
id 14.1.438.0; Thu, 20 Feb 2014 19:58:32 -0800
Received: from mailrelay.fortinet.com (mailrelay.fortinet.com
[192.168.221.66]) by mail.fortinet.com (8.14.4/8.14.4) with ESMTP id
s1L3wWr7030157 for <xxxxxxxx@fortinet.com>; Thu, 20 Feb 2014 19:58:32 -0800
Received: from smtp.fortinet.com (smtp.fortinet.com [192.168.221.75]) by
mailrelay.fortinet.com (8.13.8/8.13.8) with ESMTP id s1L3wWep008129 for
< xxxxxxxx@fortinet.com >; Thu, 20 Feb 2014 19:58:32 -0800
Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com
[209.85.192.47]) by smtp.fortinet.com with ESMTP id
s1L3wUb7004281-s1L3wUb9004281 (version=TLSv1.0 cipher=RC4-SHA bits=128
verify=CAFAIL) for < xxxxxxxx@fortinet.com >; Thu, 20 Feb 2014 19:58:31 -0800
Received: by mail-qg0-f47.google.com with SMTP id 63so6254138qgz.6 for
< xxxxxxxx@fortinet.com >; Thu, 20 Feb 2014 19:58:30 -0800 (PST)

23

Email Filtering Order: SMTP

IP BWL Check

DNSBL & ORDBL


FortiGuard IP
HELO DNS

MIME Header
Email BWL

Banned word
(on Body)

IP BWL Check
(Receive Header)

Banned word
(on Subject)

Return Email DNS


FortiGuard URL
FortiGuard Checksum
DNSBL & ORDBL
(Receive Header)

Email filter checks continue until EITHER


A check comes back with an action
All checks are passed

24

FortiGate Multi-Threat Security Systems I

233

Email Filtering

Email Filtering Order: POP3 & IMAP

MIME Header
Email BWL

Banned Word
(on Subject)

Not all SMTP based spam checks


are available!!
POP3/IMAP used between Mail server
and client checking email
SMTP used for delivering email

Return Email DNS


FortiGuard IP
FortiGuard URL
FortiGuard Checksum
DNSBL & ORDBL

IP BWL Check

Banned word
(on Body)

25

FortiGuard: Query cache


Cache
Caching reduces
FortiGuard requests;
can improve
performance
Small % of system
memory dedicated to
cache
Query results cached
until TTL setting is
reached
Alternate port 8888 for
access to FortiGuard
servers

IP address:
10.10.10.1
URL:
www.acme.com
Message
checksum:
x65Fsd34c

#
#
#
#
#

config system fortiguard


set antispam-cache [enable|disable]
set antispam-cache-ttl (300 - 86400)
set antispam-cache-mpercent (1-15%)
end

26

FortiGate Multi-Threat Security Systems I

234

Email Filtering

FortiGuard: Connectivity
#diagnose spamfilter fortishield servers
Locale
License
Expiration

: english
: Contract
: Mon Apr 28 16:00:00 2014

-=- Server List (Thu Feb 20 14:09:04 2014) -=IP


208.91.112.196
208.91.112.198
96.45.33.65
66.117.56.37
209.222.147.43
66.117.56.42
80.85.69.37
80.85.69.40
62.209.40.74

Weight
0
0
0
30
30
30
80
80
90

RTT Flags
1 DI
1 D
25
72
68
73
147
147
207

TZ
-8
-8
-8
-5
-5
-5
0
0
1

Packets
5
2
1
1
1
1
1
1
1

Curr Lost Total Lost


0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

27

Request Removal From FortiGuard


Spam filtering is best effort, so there can be false positives that
occur periodically
FortiGuard Antispam Portal: www.fortiguard.com/antispam/antispam.html

28

FortiGate Multi-Threat Security Systems I

235

Email Filtering

Email Filter Profile


Email Filter security feature disabled by default
To configure profile, first go to System > Status and set Email Filter to ON

29

SSL Options
SMTPS is SSL encapsulated SMTP
Decoding requires SSL/SSH Inspection profile

ESMTP contains StartTLS command (if supported by server)


Encrypts communication from that point
No SSL/SSH Inspection profile means no inspection or email log.

30

FortiGate Multi-Threat Security Systems I

236

Email Filtering

Combining AV & Email Filtering


If virus scan is enabled the scan happens as the last email filter check
Clear actions associated with the email DO NOT BYPASS the virus scan
White listed senders can still get infected with a virus

Spam actions associated with the email DO NOT BYPASS the virus scan
Unless the action is DISCARD
Spam email passing through could also have a virus

If a virus is found, the email is considered spam (even with a clear


action)
Spam Action Tag: Infection is removed and replaced with TXT file containing the
AV block message
Spam Action Discard: SMTP connection is blocked with 5x response

31

Reading Log entries: Forward Traffic log


Email Filter log entries appear in Traffic Log > Forward Traffic log by
default
Intended to be brief/summary only

32

FortiGate Multi-Threat Security Systems I

237

Email Filtering

Reading Log entries: Email Filter log


# set extended-utm-log enable

logs show under Security Log> Email Filter as well


More detailed
Additional info means additional resources to create/store log

33

Deployment Strategies: Multiple Spamfiltering devices


Multiple Spam filtering devices/software
Enable checks that are not available on other devices
Only Last device should be able to effect mail flow (discard/quarantine emails)

34

FortiGate Multi-Threat Security Systems I

238

Email Filtering

Deployment Strategies: Geographic Considerations


Geographic IP address object can block source IPs
Not all mail servers are located within their countries

Mail BWL can block based on domain suffix (

http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains

Not all mail domains have suffix for their country of origin

Business considerations need to be remembered

#
#
#
#

set pattern ".*\\.[ru|bz]"


set pattern-type regexp
set score 1000
language western

35

Labs
Lab 1: Email Filtering
Ex 1: Configuring FortiGuard AntiSpam

36

FortiGate Multi-Threat Security Systems I

239

Email Filtering

Classroom Lab Topology

37

FortiGate Multi-Threat Security Systems I

240

FortiGate Multi-Threat Security Systems I

Web Filtering

Web Filtering

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-09-50005-E-20140326

Module Overview
Web Filtering Functionality
Overview
Web Filtering
Communications
HTTP Inspection Order
Types of Web Filtering
Proxy-Based Web Filtering
Flow-Based Web Filtering
DNS-Based Web Filtering
Web Content Filtering
Web URL Filtering

Forcing SafeSearch
FortiGuard Category Filter
FortiGuard Caching
FortiGuard Usage Quotas
Web Site Rating Submissions
Web Site Rating Overrides
Local Categories
Web Filter Profiles
Web Filter Profiles Actions

FortiGate Multi-Threat Security Systems I

241

FortiGate Multi-Threat Security Systems I

Web Filtering

Module Objectives
By the end of this module participants will be able to:
Identify the web filtering mechanisms used on the FortiGate device
State available web filtering modes and their functionality differences
Select the most effective technique for blocking or allowing a web site
Create web content and URL filters
Configure FortiGuard Web Filtering exemptions and rating overrides
Create firewall policies for web filtering using web filter profiles
View and monitor logs for web filtering activity and events

Web Filtering
Means of controlling the web content that a user is able to view
Preserve employee productivity
Prevent network congestion where valuable bandwidth is used for non-business
purposes
Prevent loss or exposure of confidential information
Decrease exposure to web-based threats
Limit legal liability when employees access or download inappropriate or offensive
material
Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials
Prevent children from viewing inappropriate material

FortiGate Multi-Threat Security Systems I

242

FortiGate Multi-Threat Security Systems I

Web Filtering

Proxy-Based Web Filtering (1 of 2)


Proxy based solution that communicates between client and server
Inspects full URL
Allows for customizable block pages to display when sites are
prevented
Most resource intensive option
Lowest throughput
Has the Most options available in Advanced section

Proxy-Based Web Filtering (2 of 2)


Select inspection mode
in web filter profile

FortiGate Multi-Threat Security Systems I

243

FortiGate Multi-Threat Security Systems I

Web Filtering

Flow-Based Web Filtering (1 of 2)


Non-proxy solution that uses IPS engine to perform inspection
High throughput
Inspects full URL
FortiGuard Web Filtering override will not apply when flow-based
inspection is enabled
Only a few Advanced options available
Not as flexible as proxy-based
Allow, Monitor, Block ONLY
Warn and Authenticate not possible
Overrides not possible

Flow-Based Web Filtering (2 of 2)


Select inspection mode in web filter profile

FortiGate Multi-Threat Security Systems I

244

FortiGate Multi-Threat Security Systems I

Web Filtering

DNS-Based Web Filtering (1 of 2)


DNS-proxy solution that uses DNS queries to decide access
DNS queries redirected to FortiGuard SDNS server
Very lightweight
SSL inspection never required
Cannot inspect URL, only hostname (DNS)
Supports URL Filtering and FortiGuard Category only
No individual block pages, can redirect to a portal
Web site access by IP address is resolved and filtered, as well.

DNS-Based Web Filtering (2 of 2)


Select inspection mode in web filter profile

10

FortiGate Multi-Threat Security Systems I

245

FortiGate Multi-Threat Security Systems I

Web Filtering

When Does Filtering Activate?


www.acme.com

DNS Request

DNS Response

TCP 3-Way Handshake

HTTP GET

HTTP 200

11

Comparing the Types of Web Filtering


Proxy-Based
Highly secure
Traffic is cached

Flow-Based
High throughput
No caching
Not as secure

DNS-Based
Very lightweight
Hostname and IP address filtering
No advanced options, URL, and FortiGuard only

12

FortiGate Multi-Threat Security Systems I

246

FortiGate Multi-Threat Security Systems I

Web Filtering

Web Content Filtering


Drugs

Allow or block web pages


containing specific words or
patterns
Wildcards or regular
expressions used to
define patterns

Create Pattern list in


the CLI

Pharmacy
Score=5

Prescription
Score=5

Scores for matched patterns


are added
If greater than threshold,
FortiGate unit performs
configured action
If pattern appears
multiple times on web
page, score is only
counted once

Score=10

Threshold=18
10 +5 +5 =20

Block or Exempt

www.acme.com

13

Web URL Filtering (1 of 2)


Control web access by allowing or blocking URLs
Text, wildcards or regular expressions can be used to define the URL patterns
If no URL match on list, go on to next enabled check

Possible web URL filter actions are:


Allow
Block
Monitor
Exempt

14

FortiGate Multi-Threat Security Systems I

247

FortiGate Multi-Threat Security Systems I

Web Filtering

Web URL Filtering (2 of 2)


URL Filter list

URL: www.mypage.com/index.html

www.example.com
www.abc.com
www.mypage.com/index.html

Block
Allow
Monitor
Exempt

www.mypage.com
15

Forcing Safe Search


Safe Search is used by search sites to prevent inappropriate web sites
and images from appearing in search results
FortiGate unit rewrites the search URL to include the required codes to
enable Safe Search
Supported for Google, Bing, Yahoo! And Yandex
Does NOT force strict safe search

Youtube EDU available


Instructions for Youtube will include value to enter on FortiGate unit

16

FortiGate Multi-Threat Security Systems I

248

FortiGate Multi-Threat Security Systems I

Web Filtering

FortiGuard Category Filter (1 of 3)

URL: www.mypage.com

Categories
Allow
Block
Monitor
Warning
Authenticate

www.mypage.com
17

FortiGuard Category Filter (2 of 3)


The FortiGate unit accesses the FortiGuard Distribution Server to
determine the category of a requested page
Action is taken based on selection in web filtering profile

Web filter rating determined by:


Human rater
Text analysis
Exploitation of web structure

Description of Categories can be found on FortiGuard website


http://www.fortiguard.com/static/webfiltering.html

18

FortiGate Multi-Threat Security Systems I

249

FortiGate Multi-Threat Security Systems I

Web Filtering

FortiGuard Category Filter (3 of 3)


Split into multiple categories and sub-categories
Layout will switch periodically as the Internet changes
New categories and sub-categories are released and compatible with
updated firmware
Older firmware has new values mapped to existing categories

19

FortiGuard Response Caching


Most web sites are visited over and over again
FortiGate unit can remember what the response was

Caching improves performance by reducing FortiGate unit requests to


FortiGuard servers
Cache checked before sending request to FortiGuard server
TTL settings controls the number of seconds query results are cached

Small amount of FortiGate unit system memory dedicated to the cache


Default is 2% used for cache, can be increased to 15% from CLI

Port 53 used for FortiGuard communications


Alternate port number of 8888 can used

20

FortiGate Multi-Threat Security Systems I

250

FortiGate Multi-Threat Security Systems I

Web Filtering

FortiGuard Usage Quotas

Games Quota

Games Quota

Games Quota

Category:
Games

Quotas allow access to specific categories for a


specific length of time (calculated separately for
each quota configured)
If authentication is enabled, quota is automatically
based on the user, otherwise IP is used
Can only apply to categories with actions: Monitor,
Warn or Authenticate

21

Rating Submissions
Requests for rating of a web site, or to have a web sites rating
re-evaluated can be submitted by accessing:
http://www.fortiguard.com/ip_rep.php

22

FortiGate Multi-Threat Security Systems I

251

FortiGate Multi-Threat Security Systems I

Web Filtering

Rating Override (1 of 2)

Rating override

Category:
General Organizations

www.acme.com
Sub-Category: Information and Computer Security
23

Rating Override (2 of 2)
Can override the rating applied to a hostname by FortiGuard
Subscription Services
Hostname reassigned to a completely different category and uses that action

Override applies to FortiGate unit only


Changes not submitted to FortiGuard Subscription Services

Hostnames only
google.com
www.google.com
www.google.com/index.html

24

FortiGate Multi-Threat Security Systems I

252

FortiGate Multi-Threat Security Systems I

Web Filtering

Local Categories

Rename and deletion of sub-categories only in CLI


config webfilter ftgd-local-cat
delete <cat_name>
rename <cat_name> to <cat_name>

25

FortiGuard Category Actions: Warning


Action = Warning (right click in the GUI)

Web Filtering Warning Page

26

FortiGate Multi-Threat Security Systems I

253

FortiGate Multi-Threat Security Systems I

Web Filtering

Authenticate Action

Marketing

www.hackthissite.org
27

Web Filter Profiles


Web filtering,
FortiGuard web filtering
and Advanced Filter
options enabled
through web filtering
profiles
Profile in turn applied to
firewall policy
Any traffic being
examined by the
policy will have the
web filtering
operations applied
to it

28

FortiGate Multi-Threat Security Systems I

254

FortiGate Multi-Threat Security Systems I

Web Filtering

HTTP Inspection Order


Block Page

EXEMPT (from ALL further inspection)

Block

Exempt

URL

Web URL
Filter

FortiGuard
Filter

Allow

Block

Allow

Block Page

Block Page

Block

Allow

Advanced
Filter

Content
Filter
Block

Allow

Block Page
Block

Block Page

Allow

Virus Scan

Display Page

29

Viewing Web Filter Logs (1 of 2)

30

FortiGate Multi-Threat Security Systems I

255

FortiGate Multi-Threat Security Systems I

Web Filtering

Viewing Web Filter Logs (2 of 2)

31

Labs
Lab 1: Web Filtering
Ex 1: FortiGuard Web Filtering

32

FortiGate Multi-Threat Security Systems I

256

FortiGate Multi-Threat Security Systems I

Web Filtering

Classroom Lab Topology

33

FortiGate Multi-Threat Security Systems I

257

Application Control

Application Control

2014 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FGT1-10-50005-E-20140326

Module Objectives
By the end of this module participants will be able to:
State how a signature trigger is accomplished
Create application control lists
Define application control rules by category
Set up application control through firewall policies by using application
control lists
FortiGuard Application Control Database
Add/revise software through FortiGuard
Use application control to perform traffic shaping
View and search logs for application control activity and events

FortiGate Multi-Threat Security Systems I

258

Application Control

Application Control
Application control is used to detect and take actions on network traffic
based on the application generating the traffic
Facebook, Skype, Gmail etc.

Can detect application traffic even if contained within other protocols


Supports a large number of applications and categories
DiffServ per application filter
Supports shared and per-IP traffic shaping for application control

Application Control List


An application control list defines the applications that will be
subject to inspection
For each application, the administrator can specify whether to
pass or block the application traffic in addition to other settings
Default rule set is very restrictive, must perform an AV/IPS update
in order to obtain new rules

FortiGate Multi-Threat Security Systems I

259

Application Control

Adding Signatures Through FortiGuard


Requests for additional or revised application control
coverage can be submitted using FortiClient or by accessing:
http://www.fortiguard.com/applicationcontrol/appform.html

Application Control Profile


Application control profile

Application control options are enabled through


application control sensors
Sensor in turn is applied to firewall policy
Any traffic being examined by the policy will have the
application control operations applied to it

FortiGate Multi-Threat Security Systems I

260

Application Control

Example: Facebook Application Control

Order of Operations

Processed from the top down


First match action is applied
Can be single application or picked from a set of
options to apply to multiple applications

FortiGate Multi-Threat Security Systems I

261

Application Control

Implicit Rules
Implicit 1
Matches traffic against every possible application control signature

Implicit 2
Matches traffic that does not conform to any application control signature

Disabling logging for Implicit Rules


Logging for the implicit rules can be disabled from the CLI:
config application list
edit <application sensor name>
unset other-application-action
end

10

FortiGate Multi-Threat Security Systems I

262

Application Control

Creating a Filter Rule

11

Searching Signatures on FortiGuard

Searchable list of signatures, with descriptions


http://www.fortiguard.com/encyclopedia/applications/
Signatures change and update

12

FortiGate Multi-Threat Security Systems I

263

Application Control

Behavior Identification

13

Instant Messenger (1 of 3)
Support for MSN(defunct), Yahoo, ICQ and AIM
Software passes traffic through a single IM proxy

Communications protocols have never been released or had RFC


published
Proxy designed through reverse engineering

Must be explicitly selected from the application control list. IM proxy


(not enabled if IM selected)
Lets look closer

14

FortiGate Multi-Threat Security Systems I

264

Application Control

Instant Messenger (2 of 3)

Fortigate makes use of a man-in-the middle proxy

15

Instant Messenger (3 of 3)

16

FortiGate Multi-Threat Security Systems I

265

Application Control

Fine Tuning Instant Messenger


Instant Messenger Policy configurable from the CLI, default is to allow
all users
config imp2p policy
set [aim/icq/msn/yahoo] [allow/deny]
end

Users can only be restricted if policy is set to deny


Cannot block by user if policy set to allow
Maximum 1000 IM users

17

Instant Messenger Users


First user must be created in CLI
config imp2p (protocol)-user
edit (username)
end

18

FortiGate Multi-Threat Security Systems I

266

Application Control

Monitor

19

Traffic Shaping
Allows for traffic shaping to apply to only SOME of the traffic passing
through a profile/policy
Only traffic matching application control signature is shaped
Can track application bandwidth usage and use traffic shaping to
control heavy traffic applications
Can use all normal traffic shaping options: Shared, Per-IP, Reverse

20

FortiGate Multi-Threat Security Systems I

267

Application Control

Traffic Shaping: Working Example

21

How Does My Software Actually Work?

? ?

22

FortiGate Multi-Threat Security Systems I

268

Application Control

How it Works

Application control looks at packets and performs


a pattern match comparison to determine traffic
Does not perform any kind of scanning of either
system
Only reports that packets match an enabled pattern
23

Peer-to-Peer Detection (1 of 3)

Traditional file transfer


1 Client
1 Server

24

FortiGate Multi-Threat Security Systems I

269

Application Control

Peer-to-Peer Detection (2 of 3)

Peer-to-peer transfer
1 Client
N Servers

25

Peer-to-Peer Detection (3 of 3)

Why is P2P traffic so


difficult to detect?
Traditional Protocols (HTTP, FTP) were designed to be distinct and
separate from other protocols.
P2P communication protocols were designed to be difficult to distinguish
from other protocols
26

FortiGate Multi-Threat Security Systems I

270

Application Control

Labs
Lab 1: Application Identification
Ex 1: Creating an Application Control list

Lab 2: Traffic Shaping


Ex 1: Limiting YouTube Traffic

Lab 3: Selective Application Control


Ex 1: Block Wikipedia Editing

27

Classroom Lab Topology

28

FortiGate Multi-Threat Security Systems I

271