Académique Documents
Professionnel Documents
Culture Documents
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
Contents
Introduction
13
17
21
27
Using two ISPs for redundant Internet connections with distributed sessions
31
35
39
45
49
55
Wireless Networking
58
Providing remote users access to the internet and corporate network using FortiAP
59
Setting up a FortiGate and FortiAP to provide wired and wireless Internet access
65
71
78
79
83
93
UTM Profiles
101
106
Visualizing and controlling the applications on your network using application control
107
113
Protecting a web server from vulnerabilities and DoS attacks using IPS
119
125
131
Inspecting content on the network using flow-based UTM instead of proxy-based UTM
135
141
145
149
155
Providing remote users with access to a corporate network and Internet using SSL VPN
161
Securing remote access to the office network using FortiClient IPsec VPN
169
Securing remote access to the office network for an iOS device over IPsec VPN
175
Redundant OSPF routing between two remote networks over IPsec VPN
183
Authentication
Providing single sign-on on a Windows AD network by adding a FortiGate
153
198
199
Introduction
This FortiGate Cookbook provides administrators who are new to FortiGate appliances with
examples of how to implement many basic and advanced FortiGate configurations. FortiGate
products offer administrators a wealth of features and functions for securing their networks, but
to cover the entire scope of configuration possibilities would easily surpass this book. Fortunately,
much more information can be obtained in the FortiOS Handbook. The latest version is available
from the Fortinet Technical Documentation website at http://docs.fortinet.com.
This cookbook contains a series of recipes that describe how to solve a problem. Each recipe
begins with a description the configuration requirements, followed by a step-by-step solution, and
concludes with results that show what should occur to verify the steps were completed successfully.
This FortiGate Cookbook was written for FortiOS 5.0 patch 2 (FortiOS 5.0.2).
A PDF copy of this document is available from the FortiGate Technical Documentation website at
http://docs.fortinet.com/cookbook.html. You can also find earlier editions of the FortiGate
Cookbook, that contains additional recipes and troubleshooting tips and video representations of
some of the content in this book.
You can send comments about this document and ideas for new recipes to techdoc@fortinet.com.
New recipes may be published on the FortiGate Cookbook website and added to future versions.
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point
and click, drag and drop interface that provides quick access to most FortiGate configuration
settings and includes visual monitoring and management tools.
Using the web-based manager you can add a security policy to monitor application activity on a
network, view the results of this application monitoring policy, and then create additional policies or
change the existing policy to block or limit the traffic produced by some applications.
The web-based manager also provides a wide range of monitoring and reporting tools that provide
detailed information about traffic and events occurring on the FortiGate unit.
You access the web-based manager using HTTP or a secure HTTPS connection from any web
browser. By default you can access the web-based manager by connecting to the FortiGate interface
usually attached to a protected network. Configuration changes made from the web-based manager
take effect immediately, without resetting the unit or interrupting service.
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate
unit over a standard USB connection. You can install FortiExplorer software on a PC running Windows
or Mac OS X and use a USB connection between the PC and your FortiGate unit. Use FortiExplorer
to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer
configuration wizard to quickly set up the FortiGate unit and connect to the
web-based manager or CLI.
Training
Fortinet Training Services provides a variety of training programs world-wide that orient you to your new
equipment, and provides certifications to verify your knowledge level. For more on training services, visit
the Fortinet Training Services web site at http://campus.training.fortinet.com.
Internet
wAN 1
172.20.120.22
FortiGate
LAN
192168.1.99/24
Internal Network
10
Results
Log in to the FortiGate unit using the user
name of Terry_White.
As this administrator, you can and edit any
element of the FortiGate unit pertaining to
the firewall objects and security policies.
You can also view the other administrator
information. Note that any menu items for
other features do not appear.
11
12
Internet
FortiGuard
WAN 1
FortiGate
port 1
Internal Network
13
14
15
16
end
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
17
18
Results
To see information about network traffic
processed by the FortiGate unit, go to Log
& Report > Traffic Log > Forward Traffic.
19
20
Internet
Internal Network
WAN 1
172.20.120.123
port 1
FortiGate
192168.1.99
SNMP Manager
192.168.1.114
21
22
23
Results
This example uses SolarWinds SNMP trap
viewer.
In SolarWinds Toolset Launch Pad, go to
SNMP > MIB Viewer and select Launch.
24
25
26
FortiCloud
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
27
28
Results
Go to System > Dashboard > Status.
On the License Information widget, in the
FortiCloud section, select Launch Portal.
From the portal, you can see the log data
and reports.
29
30
Internet
ISP 1
WAN1
WAN 2
FortiGate
ISP 2
LAN
Internal
Network
31
32
33
Results
Go to Log & Report > Traffic Log >
Forward Traffic to see network traffic
from different source IP addresses flowing
through both wan1 and wan2.
34
Internet
WAN 1
172.20.120.22
DMZ Network
FortiGate
DMZ
LAN
Web Server
10.10.10.22
Internal Network
35
36
37
Results
External users can access the web
server on the DMZ network from the
internet using http://172.20.120.22 and
https://172.20.120.22.
Internal users can access the web
server using http://10.10.10.22 and
https://10.10.10.22.
38
Internet
Switch
WAN 1
FortiGate
Internal
WAN 1
Dual HA
Links
FortiGate
Internal
Switch
Internal Network
39
40
41
42
43
44
Internet
port 3
FortiGate
Explicit web
proxy port 4
Internal Network
45
46
Results
Configure web browsers on the private
network to connect using a proxy server.
The IP address of the HTTP proxy server is
10.10.1.99 (the IP address of the FortiGate
internal interface) and the port is 8080 (the
default explicit web proxy port).
Web browsers configured to use the proxy
server are able to connect to the Internet.
Go to Policy > Policy > Policy to see
the ID of the policy (3) allowing webproxy
traffic. Web proxy traffic is not counted by
firewall policy.
47
48
Internet
Router
wan 1
FortiGate Internal
Management IP
192.168.1.100
192.168.1.99/24
Internal Network
192.168.1.[110-150]
49
50
51
Results
Connect to the web server from the
internal network and surf the Internet from
the server itself.
Go to Log & Report > Traffic Log >
Forward Traffic to verify that there is
traffic from the internal to wan 1 interface.
52
53
54
Internet
WAN 1
172.20.120.23
FortiGate
Internal network
Internal
192.168.1.99/24
55
56
Results
Open the pcap file with a pcap file viewer
such as tcpdump or Wireshark.
Depending on the kind of traffic you need
to capture, you may adjust the settings in
the filter to meet your needs.
57
Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into
your organizations network architecture. Each WiFi network, or SSID, is represented by a virtual
network interface to which you apply security policies, UTM features, traffic shaping, and so on, in
the same way as for physical wired networks.
You can create multiple WiFi networks to serve different groups of users. For example, you might
have one network for your employees and another for guests or customers. Also, with the increase
in use of Bring Your Own Devices (BYOD); smartphones, tablets and other mobile devices that use
WiFi technology, wireless networks are becoming busier than ever and have to be monitored and
accommodated accordingly.
A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as
a single thick Access Ppoint (AP). A thick AP such as a FortiWiFi unit contains the WiFi radio facility
as well as access control and authentication functionality.
A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives
commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding
a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost
effective solution for adding WiFi to your network.
The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi
units WiFi controller also controls the units internal (Local WiFi) radio facility, treating it much like a
built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling
multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more
complex to manage.
58
FortiAP
WLAN_1
Wireless Network
Internet
WLAN 1
FortiGate
Internal Network
Internal
59
60
61
Results
The remote user connects the FortiAP to
the network connection at the hotel. They
then connect to the RemoteWiFi wireless
network. They will be able to access the
corporate network and surf the Internet
securely.
62
63
64
Internet
WAN 1
172.20.120.226
FortiAP
FortiGate
LAN
192.168.1.99/24
wireless
network
Internal network
65
66
67
68
Results
Have the wifi users connect to My_SSID
and they should be able to surf the
internet. The wireless devices will be in the
same subnet as the internal wired network.
Go to WiFi Controller > Monitor > Client
Monitor to see wifi users and their IP
addresses.
Go to Log & Report > Traffic Log >
Forward Traffic and verify that wifi users
accessing the internet with the same
security policy as the wired network users.
69
70
Internet
Internal network
Wireless network
10.10.10.1/24
WAN 1
172.20.120.23
FortiAP
71
72
73
74
75
Results
When a guest requires access to the
wireless network, the company receptionist
logs into the FortiGate unit with their
account. The receptionist creates guest
user names on the FortiGate unit.
Once logged in, they go to User & Device
> User > Guest Management and create
new user id.
76
77
78
Internet
wan 1
wifi
FortiWiFi
Internal
wireless mobile
devices
internal
network
79
80
Results
Go to Log & Report > Traffic Log >
Forward Traffic. When a mobile user
connects during the lunch break, they can
surf the Internet, as shown in the logs.
81
82
ipad 10.10.10.3
(connected to SSID 1 )
SSID 1 (WLAN 1 )
10.10.10.1/24
FortiAP
Internal network
OS x
DMZ
10.10.100.1/24
FortiGate
LAN
192.168.1.99/24
SSID 2 (WLAN 2)
20.20.20.1.24
AirPrint 20.20.20.2
(connected to SSID 2)
83
84
85
86
87
88
89
Results
Print a document from an iOS device.
Go to Log & Report > Traffic Log >
Multicast Traffic to see the printing traffic
passing through the FortiGate unit.
90
91
92
ipad 10.10.10.3
(connected to SSID 1 )
FortiAP
SSID1 (WLAN 1 )
10.10.10.1/24
DMZ
10.10.100.1/24
Internal network OS x
FortiGate LAN
192.168.1.99/24
Apple
TV
93
94
95
96
97
Results
Use Airplay from the iPad to stream video
to the Apple TV.
Go to Log & Report > Traffic Log >
Multicast Traffic to see the multicast
traffic between the WLAN 1 and LAN
interfaces.
Select and entry for more information.
98
99
100
Internet
WAN 1
172.20.120.226
Open TCP ports 7882-7999,
UDP port 2119 and 2995 for
traffic from the Internet
to the Server
FortiGate
LAN
192.168.1.99/24
Server
192.168.1.200
101
102
103
Results
104
105
UT M Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email
filtering, and data leak prevention (DLP), apply core UTM security functions to traffic accepted by
security policies. The FortiGate unit includes default UTM profiles for all of these security features.
You can apply UTM features to traffic accepted by a security policy by selecting the default profiles
for the UTM features that you want to apply.
The default profiles are designed to provide basic protection. You can modify the default profiles,
and group them, for your needs or create new ones. Creating multiple profiles means you can apply
different levels of protection to different traffic types according to the security policies that accept the
traffic.
Endpoint control profiles are created to ensure that workstation computers, also known as
endpoints, on your network meet the networks security requirements; otherwise, they are not
permitted access. Enhanced by Fortinets FortiClient Endpoint Security software, FortiGate endpoint
control can block or control access through the FortiGate unit for workstation computers depending
on the security functions enabled on the computers and the applications running on them. After
creating endpoint control profiles, you can add endpoint security profiles to security policies.
The final UTM profile feature, vulnerability scanning is independent of security policies. By using
vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take
action to remove those vulnerabilities.
106
Internet
1001001
001011100
010110011
WAN 1
FortiGate
Internal
Internal Network
107
108
109
110
111
Results
Go to Log & Report > Traffic Log >
Forward Traffic.
You can see the sensor is working and
blocking the selected application traffic.
112
Internet
FortiGuard
WAN 1
FortiGate
LAN
Internal Network
113
114
115
Results
In a web browser, go to cnn.com. The
FortiGate unit blocks the web site wth an
override option.
116
117
118
Attacks
Internet
FortiGate WAN 1
172.20.120.24
LAN
192.168.1.99/24
Internal network
Web server
VIP: 172.20.120.24 --> 192.168.1.200
119
120
121
122
Results
Perform an DoS tcp_sync_flood attack to the web
server IP address. The TCP sync session should be
blocked when the threshold of 20 is reached.
Note: Ensure you have the proper IP address of your
web server. Otherwise you may be unwillingly causing
a DoS attack on another server!
123
124
Internet
WAN 1
FortiGate
Data leak
LAN
Internal network
125
126
127
Results
Upload a file containing a credit card
number to a server on the Internet such
as a local FTP server or web server.
The FortiGate unit will block the file
and prevent it from leaving the internal
network.
Go to Log & Report > Traffic Log >
Forward Traffic and locate the blocked
log entry.
128
129
130
Internet
WAN 1
FortiGate
Internal
Internal Network
131
132
Results
Allow traffic to pass through the FortiGate
unit for a day. Then go to User & Device >
Client Reputation > Reputation Score to
view the results.
Each user by device that met the threshold
set appears in the chart. With this
information, you can see where potential
problems may occur or potential security
breaches are imminent.
133
134
Web Filter
Internal Network
Viruses
Internal
FortiGate
WAN 1
Internet
Viruses
Viruses
135
136
Results
To test the AV scanning, from a PC in the
internal network, go to
http://www.eicar.org and try to download a
test file.
The browser will time out and display a
message similar to what is shown here
from Google Chrome.
137
138
139
140
Internal network
LAN
FortiGate WAN 1
Viruses/Spyware
Internet
141
142
143
Results
Any attempt to download a file larger than
10 MB is blocked.
The FortiGate unit displays a replacement
message explaining why the attempt
failed.
144
Internet
Block Site
WAN 1
FortiGate
LAN
Internal network
145
146
Results
In a web browser, attempt to visit
fortinet.com and docs.fortinet.com. In
both cases, the FortiGate unit displays a
message.
147
148
YouTube
Facebook
HTT PS
FortiGuard
Internet
WAN 1
FortiGate
Internal
Internal Network
149
150
151
Results
In a web browser, go to
https://youtube.com. The web page is
blocked and a FortiGate replacement
message is put up in its place.
152
153
154
wan1
172.20.120.123
FortiGate
port1
192.168.1.99/24
Internal
Network (HQ)
IPsec
port3
172.20.120.141
Internet
FortiGate
port4
10.10.1.99/24
Internal
Network (Branch)
155
156
157
158
159
Results
Go to VPN > Monitor > IPSec Monitor
to verify the status of the VPN tunnel. It
should be up.
160
Internet
sslroot
browsing
WAN 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Internal Network
Windows Server
192.168.1.114
161
162
163
164
Results
165
166
167
168
FortiGate wan 1
172.20.120.123
port 1
192.168.1.99/24
Internet
IPsec
Remote user
(FortiClient)
Internal Network
169
170
171
Results
Launch FortiClient and go to Remote
Access and add new connection.
172
173
174
wan 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Internet
IPsec
Remote user
(iPad)
Internal Network
175
176
177
178
179
Results
On the iPad, go to Settings > General >
VPN and select Add VPN Configuration.
180
181
182
WAN 1
172.20.120.24
FortiGate 1
Internal
10.20.1.1/24
WAN 2
172.20.120.23
OSPF
IPsec
IPsec
Internet
WAN 1
172.20.120.123
FortiGate 2
WAN 2
172.20.120.127
Internal
10.21.1.1/24
OSPF
Internal
Network (HQ)
Internal
Network (Branch)
183
184
185
186
187
188
189
190
191
192
193
194
195
Results
Verify the primary and secondary IPSec
vpn tunnel status on FortiGate1 and
FortiGate2.
Tunnels on both FortiGates should be UP.
Go to VPN > Monitor > IPsec Monitor to
verify the status.
196
197
Authentication
Authentication is the act of confirming the identity of a person or other entity. In the context of a
private computer network, the identities of users or host computers must be established to ensure
that only authorized parties can access the network. The FortiGate unit enables controlled network
access and applies authentication to users of security policies and VPN clients.
Identifying users and other computers (authentication) is a key part of network security. This chapter
describes some basic configurations.
198
Internet
WAN 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Windows AD
192.168.1.114
Internal Network
199
200
201
202
203
Results
Go to Log & Report > Traffic Log >
Forward Traffic.
As users log into the Windows AD system,
the FortiGate collects their connection
information.
204