FGT 01 Introduction

Introduction to FortiGate Unified Threat Management 7 April 2014
1
2014 Fortinet Inc. All rights reserved.
The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT1-01-50005-E-20131120
Introduction to Fortinet Unified Threat
Management
2
Module Overview
Other products available from Fortinet
A FortiGatesfeatures
Administrative Access, Users and Profiles
FortiGuard
Operating Modes
Default Settings
Configuration Backup and Restoration
Proper upgrade and downgrade procedures
Console port
and other topics
3
Module Objectives
By the end of this module, participants will be able to:
Identify the major features of the FortiGate Unified Threat Management appliance
Modify administrative access restrictions
Create and manage administrative users
Create and manage administrator access profiles
Backup and restore configuration files
Create a DHCP server on a FortiGate units interface
Upgrade or downgrade a FortiGateunits firmware
4
Traditional Network Security Solutions
Firewall
Antivirus
Antispam
WAN Optimization
Web Filtering
Application Control
Intrusion Prevention
VPN
Many single purpose systems needed to
cope with a variety of threats
5
FortiGate Integrated Network Security Platform
Firewall
Antivirus
Antispam
WAN Optimization
Web Filtering
Application Control
Intrusion Prevention
VPN
and more
One device provides a comprehensive
security and networking solution
FortiGate Appliance
6
Unit Design
Hardware
Purpose-driven hardware
FortiOS
Specialized operating system
Firewall AV
Web
Filter
IPS
Security and network-level services
FortiGuard Subscription Services
Automated update service
7
FortiGate Unit Capabilities
Firewall
Antivirus Email filtering
Web filtering
Intrusion prevention Application control Data leak prevention WAN optimization Secure VPN Wireless Dynamic routing Endpoint compliance
Virtual domains
Traffic shaping
High availability Logging and reporting
1
1
1
1 Authentication
8
Fortinet Products
Network Security
FortiGateappliances
High-end, mid-range and
desktop models
Network Access
Wireless: FortiWiFi, FortiAP
Switching: FortiSwitch
End-point and mobility:
FortiClient
User Identity:
FortiAuthenticator, FortiToken
Infrastructure Security
Application and Content Delivery:
FortiADC
DDosMitigation: FortiDDos
Advanced Threat Protection
Voice and Video: FortiVoice,
FortiCamera, FortiRecorder
Application Security
FortiMail, FortiWeb, FortiDB
FortiCache
Management
FortiManager, FortiAnalyzer,
FortiCloud
9
FortiGuard Subscription Services
Global Update service for AV/IPS (update.fortiguard.com)
uses SSL on port 443
Global Live service for FortiGuard WF/AS (service.fortiguard.net)
Uses a proprietary protocol on port 53 or 8888
Live service (connection & contract required)
Short grace period after contract expiry (about 7 days)
Handled through FortiGuardDistribution Network(FDN)
Calculates server distance based on time zones
Major server centers in North America as well as Asia and Europe
Nearest servers are preferred but will adjust based on server load
can be sent to a FortiManager instead
10
Modes of Operation
NAT
Device operates on Layer 3 or
the OSI Model
Interfaces have IP addresses
Packets are routed VIA IP
Device is presence in the routing of
the network
Transparent
Device operates on Layer 2 of
the OSI
Device interface do not have IPs
Routing decisions are not
possible
Device is not a presence in
network routing.
11
OSI Model
12
port1 or internal interface will have an IP of 192.168.1.99/24
PING, HTTP, HTTPS protocols are enabled for
Management Access
port1 or internal interface will have a DHCP server set up and
enabled (on devices that support DHCP Servers)
Default login will always be:
user: admin
password: (blank)
Usernames and passwords are BOTH case sensitive
Default admin user information should be modified!
Device Factory Defaults
13
Device Administration
Web GUI
HTTP, HTTPS
CLI
Console,SSH,Telnet, GUI Widget
14
Administrator Profiles
15
Administrator Profiles: Permissions
System Configuration
Network Configuration
Firewall Configuration
VPN Configuration
Wifi Configuration
etc.
None Read Read-Write
Admin
Profile
16
Administrative Users
Full access within
a single virtual
domain
Full access
super_admin
profile
Custom access
custom
profile
prof_admin
profile
17
Administrative Users: Trusted Hosts
If logging in from the source IP is not possible, FortiGate will not respond to requests
for management trafficto its interfaces
18
Two Factor Authentication
Username and Password (one factor)
FortiToken (two factor)
+
19
Administrative Users: Two Factor Authentication
20
Configuration Files
Device configuration settings can be saved to an external file
Optional encryption
The file can be restored to rollback device to a previous configuration
restoring a configuration always reboots the device
Configuration files can be backed up automatically
Not available on all models, happens when admin users log out
21
Configuration Files: Format
Header contains some details on the device
After header, encrypted file is not readable
Restoring Encrypted configuration requires the same device/model
running the same build as the configfile (and encryption password)
Restoring a text base configfile only requires the same model
Different build configuration files can be used (with the same limits as an upgrade)
Configfile only contains non-default and important settings (size)
#config-version=FWF60D-5.00-FW-build252-
131031:opmode=0:vdom=0:user=admin#conf_file_ver=1048892595416027
5734#buildno=0252#global_vdom=1
#FGBK|3|FWF60D|5|00|252|
Plain Text Encrypted
Model
Firmware Major Version
Build Number
22
Per Virtual Domain Configuration Files
Configurations are backed up as a whole
If Virtual Domains(VDOMs) are enabled, backups of individual VDOMs is
possible
23
Interface IPs
Every used interface on the
unit must have an IP
assigned (in NAT mode)
using one of three methods:
Manual IP, DHCP assigned,
PPPoE(CLI)
24
Administrative Access: Methods
Each interface has separate
options for enabling
Management access
Separate settings for IPv4 and
IPv6
IPv6 options only show up if
feature is enabled in the GUI
25
Hiding features from the GUI
Not all features are visible in the GUI, by default
Some features are ONLY configurable from the CLI
Feature not in the GUI ARE NOT disabled
Primary features can be hidden/unhidden from Dashboard Widget
Full list of options found in Features submenu
26
Hiding features from the GUI: SecurityFeatures
NGFW
Next Generation Firewall
Line Speed Inspection
ATP
Advanced Threat Protection
Focuses on protecting PCs
WF
Web Filtering
Full UTM
All Inspection profile options are available in the GUI
27
Administrative Access: Ports
Service Ports for Administrative access can be customized
Only using secure access methods is recommended
28
There must be at least one default gateway
If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically
Static Gateway
29
DHCP Server: Setup
Enabled and configured separately for each interface
30
DHCP Server: IP Reservation
IP address reserved and always assigned to the same DHCP host
Select an IP address or choose an existing DHCP lease to add to the reserved list
Identify the IP address reservation as either DHCP over Ethernet or DHCP over
IPSec
MAC address of the DHCP host is used to look up the IP address in
the IP reservation table
Found in the Advanced settings of the DHCP server, on the interface
31
DHCP Logs
32
FortiGate as a DNS Server
Resolve DNS lookups from an internal network
Methods to set up DNS for each interface:
Forward to System DNS: DNS requests relayed to the DNS servers configured
for the FortiGate unit
Non-recursive: DNS requests resolved using a FortiGate DNS database and
unresolved DNS requests are dropped
Recursive: DNS requests will be resolved using a FortiGate DNS database and
any unresolved DNS requests will be relayed to DNS servers configured for the
unit
One DNS database can be shared by all the FortiGate interfaces
If VDOMs are enabled, a DNS database can be created in each VDOM
33
DNS Forwarding
FortiGateunits can forward (or not) DNS requests sent to its
interfaces
Behavior on each interface is configured separately
Allows direct control of the DNS
GUI allows setting to Forward only
CLI allows Forward, Recursive and Non-recursive behavior
34
DNS Database: Configuration
DNS zones need to be added when configuring the DNS database
Each zone has its own domain name
Zone format defined by RFC 1034 and1035
DNS entries are added to each zone
An entry includes a hostname and the IP address it resolves to
Each entry also specifies the type of DNS entry
IPv4 address (A) or an IPv6 address (AAAA)
name server (NS)
canonical name (CNAME)
mail exchange (MX) name
IPv4 (PTR) or IPv6 (PTR)
35
Firmware Upgrade Steps
Step 1: Backup and store old configuration (Full config backup from CLI)
Step 2: Have copy of old firmware available
Step 3: Have disaster recovery option on standby (especially if remote)
Step 4: READ THE RELEASE NOTES (upgrade path, bug information)
Step 5: Double check everything
Step 6: Upgrade
36
Firmware Downgrade Steps
Step 1: Locate pre-upgrade configuration file
Step 2: Have copy of old firmware available
Step 3: Have disaster recovery option on standby (especially if remote)
Step 4: READ THE RELEASE NOTES (is a downgrade possible?)
Step 5: Double check everything
Step 6: Downgrade (all settings except those needed for access are lost)
Step 7: Restore pre-upgrade configuration
37
Maintainer Access
Available on all FortiGate devices and some non-FortiGate devices
Only available through the hardware console port
Highly secure (requires physical access)
Only open after a HARDboot
About 30 seconds (varies by model, by approximately 1 minute)
Highly secure (soft boot does not activate user)
User: maintainer
Password: bcpb<serial number> All letters in serial number MUST BE uppercase
Can be disabled in the CLI if physical security is a risk or for
compliance reasons
config sys global
set admin-maintainer disable
end
38
Console Port
Depending on the FortiGatemodel, console port
access is provided in the following ways:
Serial port (older models)
Standard null model cable will work for console port access
RJ-45 port
RJ-45-serial cable is required for access
USB 2 port
Requires FortiExplorer to connect
Each devices ships with proper console cables
39
FortiExplorer
Software used to Manage devices via USB-2
Some models of FortiGate/FortiWifis, FortiSwitch, FortiAP
Available for Windows PC, Mac OSx10
Release notes contain detailed information on supported OS versions
Connect using USB cable
Allows Full GUI/CLI access, complete configuration options
If device has USB-2 port, FortiExplorer is the only way to access Console port
Available on Apple Store for IPod/IPad/IPhone
Connect using standard 30pin-USB cable
Limited configuration options, Limited model options
40
Labs
Lab 1: Initial Setup and Configuration
Ex 1: Configuring Network Interfaces
Ex 2: Exploring the Command Line Interface
Ex 3: Restoring Configuration Files
Ex 4: Performing Configuration Backups
(OPTIONAL)
Lab 2: Administrative Access
Ex 1: Profiles and Administrators
Ex 2: Restricting Administrator Access
41
Classroom Lab Topology

FGT 01 Introduction

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

FGT 01 Introduction

Transféré par

Droits d'auteur :

Formats disponibles

Introduction to FortiGate Unified Threat Management 7 April 2014

Vous aimerez peut-être aussi