Académique Documents
Professionnel Documents
Culture Documents
FORTINET
FortiGate I
Student Guide
for FortiGate 5.2.1
DO NOT REPRINT
FORTINET
FortiGate I Student Guide
for FortiGate 5.2.1
Last Updated: 30 April 2015
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or
company names may be trademarks of their respective owners. Copyright 2002 - 2015 Fortinet, Inc.
All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part
of this publication may be reproduced in any form or by any means or used to make any derivative
such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated
by the United States Copyright Act of 1976.
DO NOT REPRINT
FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................7
Topology..................................................................................................................................8
Logging In ...............................................................................................................................8
Disconnections/Timeouts .............................................................................................................................13
DO NOT REPRINT
FORTINET
Objectives.....................................................................................................................................................35
Time to Complete .........................................................................................................................................35
Exercise 1 Remote Logging & SNMP Monitoring ........................................................................................36
DO NOT REPRINT
FORTINET
ANTIVIRUS ...................................................................................................73
Lab 1: Antivirus Scanning .......................................................................................................73
Objectives.....................................................................................................................................................73
Time to Complete .........................................................................................................................................73
Exercise 1 Antivirus & Block pages .............................................................................................................74
Exercise 2 Flow vs Proxy scanning .............................................................................................................76
DO NOT REPRINT
FORTINET
Module 10: Application Control...............................................................................................433
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
Topology
port2
10.200.1.241
FortiManager
port1
10.0.1.241
WIN-LOCAL
10.0.1.10
FortiAnalyzer
port1
10.0.1.210
port3
10.200.1.210
10.0.1.254/24
port3
eth0
port2
10.200.2.1/24
LOCAL
port1
10.200.1.1/24
10.200.2.254
eth2
LINUX
10.200.1.254
eth1
eth4
10.200.4.254
eth3
10.200.3.254
10.200.4.1/24
port5
REMOTE
10.200.3.1/24
port4
WIN-REMOTE
10.0.2.10
port6
10.0.2.254/24
Logging In
1. Run the System Checker. This will fully verify both:
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
Use the URL for your location.
North America/South America:
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
DO NOT REPRINT
FORTINET
Europe/Middle East/Africa:
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
Asia/Pacific:
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the result messages for the browser and
network checks will each display a check mark icon. Continue to the next step.
If a browser test fails, this will affect your ability to access the virtual lab environment. If a network
test fails, this will affect the usability of the virtual lab environment. For solutions, either click the
Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab. Either:
DO NOT REPRINT
FORTINET
https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
3. If prompted, select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.
4. Click Enter Lab.
A list of virtual machines that exist in your virtual lab should appear.
10
DO NOT REPRINT
FORTINET
From this page, you can access the console of any of your virtual devices by either:
11
DO NOT REPRINT
FORTINET
A new window should open within a few seconds. (Depending on your accounts preferences, the
window may be a Java applet. If this fails, you may need change browser settings to allow Java to
run on this web site. You also may need to review and accept an SSL certificate.)
Depending on the virtual machine, the applet provides access to either the GUI or a text-based
CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will
connect to this VM.
12
DO NOT REPRINT
FORTINET
Disconnections/Timeouts
If your computers connection with the virtual machine times out or if you are accidentally disconnected,
to regain access, return to the initial window/tab that contains your sessions list of VMs and open the
VM again.
If your session frequently times out or does not connect, ask your instructor.
13
DO NOT REPRINT
FORTINET
When connecting to a VM, your browser should then open a display in a new window or tab.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the Java client, to configure the screen resolution, click the arrow at the top of the window.
In the HTML 5 client, to configure screen resolution, open the System menu.
International Keyboards
If characters in your language dont display correctly, keyboard mappings may not be correct.
14
DO NOT REPRINT
FORTINET
To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either
display an on-screen keyboard, or send text from your computer to the VM's clipboard.
To solve this in the Java client, copy and paste between your computer and the Java applet. This
sends special characters or combinations using the keyboard icon at the top of the applet window.
Troubleshooting Tips
If the HTML 5 client does not work, try the Java client instead. Remembering this preference
requires that your browser allow cookies.
Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable
broadband connection such as a LAN.
Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On
Windows, if the Java applet is allowed and successfully downloads, but does not appear to
launch, you can open the Java console while troubleshooting. To do this, open the Control
Panel, click Java, and change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.
15
DO NOT REPRINT
FORTINET
Change the power saving scheme so that your computer is always on, and does not go to
sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If during the labs, particularly when reloading configuration files, you see a message similar to the
one shown below, the VM is waiting for a response to the authentication server.
16
DO NOT REPRINT
FORTINET
it indicates that FortiGate VM is waiting for a response from the license authentication server. Typically
this happens after reboot, after you upload a new FortiGate configuration file. If that server was
rebooting or connectivity was interrupted, for example, at the same time that FortiGate VM was
rebooting and sending the request, then the server may not have received the request. FortiGate VM
will periodically retry, but you can manually initiate an immediate retry. To force an immediate license
authentication retry, go to FortiGate's CLI and enter:
execute update-now
Objectives
Configure FortiGate network interfaces and a default route for administrative access via your
lab network, such as with web browser, Telnet or SSH client
Find the FortiGate model and FortiOS firmware build information inside a configuration file
Time to Complete
Estimated: 15 minutes
17
DO NOT REPRINT
FORTINET
18
DO NOT REPRINT
FORTINET
edit port4
set ip 10.200.3.1/24
set allowaccess http ping
end
10. Verify that a valid default gateway route exists:
show router static
If there is no static route for port4, enter the commands below to set it. (Routing will be explained
in more detail in a later lesson.)
conf route static
edit 0
set device port4
set gateway 10.200.3.254
end
11. Verify that you have entered your configuration correctly.
show system interface
show router static
You can't connect to the Remote FortiGate's GUI yet. Before you can do that, you must first
configure the FortiGate named Student with a route and a firewall policy that allows and routes
that management traffic to the FortiGate named Remote. You will add this configuration in a later
lab exercise.
19
DO NOT REPRINT
FORTINET
This shows all words that the CLI will accept next after the get command. When the --More
prompt appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key
to scroll one line at a time, or press the Q key to exit.
Depending on the command, you may need to enter additional words to completely specify a
configuration object.
6. Press the up arrow key. This displays the previous get system status command. Try some
of the other control key sequences that are summarized below.
Previous command
up arrow, or CTRL+P
Next command
Beginning of line
CTRL+A
End of line
CTRL+E
CTRL+B
CTRL+F
CTRL+D
Clear screen
CTRL+L
CTRL+C
CTRL+C is context sensitive, but usually, it aborts the current command. If you were in a subcommand, it returns you to the parent command. Otherwise, it will terminate your current
administrative session. To continue, you must log in again.
7. Enter the command:
execute ?
This lists all words that the CLI will accept next after the execute command.
20
DO NOT REPRINT
FORTINET
8. Type:
execute
then press the Tab key 3 times.
The first time you press the Tab key, notice that the CLI adds the next word in the command. It is
the first word in the list from the previous step. Each time that you press the Tab key after that,
notice that the CLI replaces that word with the next possible word in the list, in alphabetical order,
until you press the spacebar key. This indicates that you have selected that word, and are ready to
enter the next word (if any).
9. Enter the following CLI commands.
config ?
show ?
Compare the list of valid next words for each one. Notice that there are some differences in the
CLI structure for each command, including show full-configuration.
config enters settings. show displays configuration differences from the firmwares default
settings only, unless you enter show full-configuration.
10. Enter the CLI commands to display the FortiGates port3 interface configuration. Compare the
output for each.
Only the characters shown in bold typeface must be typed. If you want to auto-complete each
word in the command (in order to verify that it is unambiguous, for example), press the Tab key
after the characters in bold.
show system interface port3
show full-configuration system interface port3
Tip: Almost all commands can be abbreviated. In presentations and labs, many of the
commands that you see will be in abbreviated form.
Use this technique to reduce the number of keystrokes that are required to enter a
command. In this way, experts can often configure a FortiGate faster via CLI than GUI.
If there are other commands that start with the same characters, your abbreviation must
be long enough to be specific, so that FortiGate can distinguish them. Otherwise, the CLI
will display an error message about ambiguous commands.
21
DO NOT REPRINT
FORTINET
3. Click the button that enables you to select which backup file to restore. (The name of this button
varies by browser.)
Select the file named Resources\Introduction\student-initial.conf, then click Restore. This file is
the prerequisite configuration for the next lab.
After your browser uploads the configuration, the FortiGate will automatically reboot. The
length of the restoration process varies by how complex the configuration is. More complex
FortiGate I Student Guide
22
DO NOT REPRINT
FORTINET
configurations take more time to parse and validate. Most configurations take FortiGate less than
1 minute to validate and then reboot.
4. Refresh the web page and log in again to the GUI on the Student FortiGate.
Go to System > Network > Interface and then Router > Static > Static Route. Verify that the
network interface settings and default route were restored.
5. Go to System > Network > DNS Server. Review the student and remote DNS zones.
In the Student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for
the student FortiGate device (10.0.1.254) and the Windows server (10.0.1.10).
In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for
the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).
By providing a DNS server to your management network, FortiGate enables you access these
devices in your lab by using a domain name instead of their IP address. To do this, the Windows
server should be configured to use the Student FortiGate's port3 IP address as its DNS server.
6. On the Windows server, open a command prompt. Use the following commands to verify the DNS
lookup results.
nslookup server.student.lab 10.0.1.254
nslookup fgt.student.lab 10.0.1.254
nslookup pc.remote.lab 10.0.1.254
nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are:
nslookup [-option] [hostname] [server]
7. Open a web browser. Go to these URLs to verify that you can use domain names to reach the
GUI of both the Student and Remote FortiGate:
http://fgt.student.lab
http://fgt.remote.lab
23
DO NOT REPRINT
FORTINET
3. Select Encrypt configuration file, enter the password fortinet, then click the Backup button to
save the encrypted configuration file to the desktop with the filename student-initial-enc.conf.
(You may need to modify the web browsers settings to prompt you for the location to save files.
For Firefox, go to Tools > Options > General then select Always ask me where to save files.)
Caution: Always back up the configuration file before changing your device (even if the
change seems minor or unimportant). There is no undo. Restoring a backup will allow you to
quickly revert changes if you discover problems.
To distinguish between files from multiple FortiGates, use a naming convention such as their
host names.
4. In the System Information widget, click Restore. Select the file that you downloaded in the
previous step (student-initial-enc.conf), then click the Restore button.
Notice that this time, you must enter the password fortinet because this file is passwordencrypted.
5. Using Notepad or Notepad++, open the file student-initial.conf. In another instance of
WordPad, open the file student-initial-enc.conf and compare the details in both.
Note: In both the normal and encrypted configuration the top of the file acts as a
header, describing the firmware and model information this configuration
belongs to.
24
DO NOT REPRINT
FORTINET
Objectives
Time to Complete
Estimated: 10 minutes
25
DO NOT REPRINT
FORTINET
Must Contain:
Enable
1 Upper Case Letter
1 Numerical Digit
Enable
90 days
26
DO NOT REPRINT
FORTINET
27
DO NOT REPRINT
FORTINET
28
DO NOT REPRINT
FORTINET
Objectives
Time to Complete
Estimated: 10 minutes
29
DO NOT REPRINT
FORTINET
If not already added, click the All Session widget from the pop-up window to add it to the
dashboard.
Close the widget list window. Widgets can be removed from the page simply by click the X in the
upper left corner of each one.
4. Hover the mouse over the title bar of the System Resources widget and click Edit to create a
custom widget.
View Type:
Historical
Time Period:
Last 60 minutes
30
DO NOT REPRINT
FORTINET
A line chart appears in a new custom System Resource History widget showing a trace of CPU,
memory and sessions over the past hour.
The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.
5. The Alert Message Console widget displays recent system events, such as system restart and
firmware upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to view
the entire message list.
Note: If there are no alerts you can reboot the FortiGate in order to see
one. To do so, connect to the CLI and use the command exe reboot
6. At the top of the dashboard, click Dashboard and select Add Dashboard.
Enter any name of your choice for the new dashboard and select the single column display.
31
DO NOT REPRINT
FORTINET
The new dashboard will show up as a selectable menu option on the right hand side
7. Next add the All Sessions widget on your new dashboard. Click the edit icon in the title bar of the
All Sessions widget and observe the different ways in which sessions can be reported. For
example, by top Destination Address, top Applications etc. You can also select to display the top
sessions by Source and Destination interfaces. Create your own customized Top Sessions widget
and examine the sessions that are listed.
Some widgets are only allowed to appear on 1 dashboard at a time. For example, System
Information cannot be added to this new dashboard until the widget is removed from the Status
dashboard.
8. Test the functionality of the refresh, page forward, and page back icons in this window. You may
need to generate some additional traffic in order to properly test these functions.
9. Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.
32
DO NOT REPRINT
FORTINET
fortinet
Type:
FQDN
FQDN:
www.fortinet.com
Leave the remaining settings at their defaults and click OK to save the changes.
6. Next go to Log & Report > Event Log > System and review the log entries.
7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.
33
DO NOT REPRINT
FORTINET
34
DO NOT REPRINT
FORTINET
Objectives
Time to Complete
Estimated: 10 minutes
35
DO NOT REPRINT
FORTINET
36
DO NOT REPRINT
FORTINET
6. From the GUI on the Student FortiGate, go System > Config > SNMP to enable SNMP monitoring.
Select Enable for the SNMP Agent at the top, then click Apply.
7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password
to fortinet. Set the Notification host to 10.200.1.254.
Click OK.
8. Go to System > Network > Interfaces and edit port1. Confirm that SNMP is enabled under the
Administrative Access settings. If it is not enabled you will need to enable it first, then click OK to
save the changes.
9. Leave the SSH window open that is currently running the tail command and run putty again to
open a new SSH connection to the LINUX host (10.200.1.254).
Next, execute the following snmpwalk command to find and display all of the monitoring options
that a device presents through SNMP:
snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1
A tree listing of all the options available to monitor this FortiGate VM device will be displayed.
To make it easier to view the information available, you may also append >snmp.test to the
command entered above. This will save the output to a file named snmp.test. Enter the
command view snmp.test to view the output file.
37
DO NOT REPRINT
FORTINET
Firewall Policies
Lab 1: Firewall Policy
Objectives
Configure NAT
Use CLI commands to review your configuration and perform status checks
Time to Complete
Estimated: 40 minutes
38
DO NOT REPRINT
FORTINET
STUDENT_INTERNAL
Type:
Subnet
Subnet/IP Range:
10.0.1.0/24
Interface:
Any
Once the settings have been entered, click OK to save the changes.
4. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To do
this, go to Policy & Objects > Policy > IPv4, right-click the unrestricted port3port1 policy and
select Status > Disable.
5. Next click Create New to add a new firewall policy to provide general Internet access from the
internal network. Configure these settings:
Incoming Interface:
port3
Source Address:
STUDENT_INTERNAL
Outgoing Interface:
port1
Destination Address:
all
Schedule:
always
Service:
Action:
ACCEPT
Enable NAT:
Enabled
Enabled
Log Options:
Comments:
When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, you
only need to create one firewall policy that matches the direction of the traffic that initiates the
session.
Once the policy settings have been entered, click OK to save the changes.
FortiGate I Student Guide
39
DO NOT REPRINT
FORTINET
6. On the Windows server, open a web browser and connect to various external web sites.
7. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic
and identify the log entries for your Internet browsing traffic.
With the current settings you should have many 0 byte log messages with action start. These are
the session start logs.
When sessions close you will have a separate log entry for the amount of data sent and received
Logging session starts generates twice the amount of log messages. This option should only be
used when this level of detail is absolutely necessary.
8. From the CLI, enter the following command to see the source NAT action.
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp
3600
10.0.1.10:3677
10.0.1.254:22
tcp
3587
10.0.1.10:3717
10.200.1.1:64133 72.30.38.140:80
tcp
3570
10.0.1.10:3681
10.200.1.1:64097 69.171.228.70:80 -
tcp
3577
10.0.1.10:3710
10.200.1.1:64126 74.125.228.92:80 -
tcp
3587
10.0.1.10:3708
10.200.1.1:64124 74.125.228.92:80 -
tcp
3587
10.0.1.10:3706
10.200.1.1:64122 66.94.245.1:80
tcp
2274
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
tcp
3587
10.0.1.10:3712
10.200.1.1:64128 80.239.217.66:80 -
tcp
3566
10.0.1.10:3679
10.200.1.1:64095 74.125.227.24:80 -
Note that FortiGate is applying a new source address: that of the destination interface port1
(10.200.1.1).
40
DO NOT REPRINT
FORTINET
port3
Source Address:
STUDENT_INTERNAL
Outgoing Interface:
port1
Destination Address:
Schedule:
always
Service:
Action:
DENY
Enabled
41
DO NOT REPRINT
FORTINET
This setting will reduce the amount of logging entries caused by the violation traffic. Notice how
the time between log entries increases.
42
DO NOT REPRINT
FORTINET
VIP_INTERNAL_HOST
External Interface:
port1
Type:
Static NAT
External IP Address/Range:
10.200.1.200 - 10.200.1.200
Mapped IP Address/Range:
10.0.1.10
port1
Source Address:
all
Outgoing Interface:
port3
Destination Address:
VIP_INTERNAL_HOST
Schedule:
always
Service:
HTTP, HTTPS
Action:
ACCEPT
Log Options:
Enable NAT:
Disabled (default)
Comments:
43
DO NOT REPRINT
FORTINET
5. From the CLI on the Student FortiGate, check the destination NAT entries in the session table:
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT
tcp
3537
10.200.3.1:62426
SOURCE-NAT
DESTINATION
10.200.1.200:80
10.0.1.10:80
6. On the Windows server, open a web browser and connect to a few external web sites. Now
examine the session information again as follows:
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp
3591
10.0.1.10:3995
10.200.1.200:3995 66.94.241.1:80
tcp
3590
10.0.1.10:3977
10.200.1.200:3977 72.30.38.140:80
tcp
3553
10.0.1.10:3965
10.200.1.200:3965 184.150.187.83:80 -
tcp
3592
10.0.1.10:3998
10.200.1.200:3998 74.125.228.92:80 -
tcp
3584
10.0.1.10:3969
10.200.1.200:3969 69.171.237.16:80 -
tcp
3596
10.0.1.10:4001
10.200.1.200:4001 208.91.113.80:80 -
tcp
-
3590
10.0.1.10:3983
10.200.1.200:3983 216.115.100.102:80
tcp
-
3590
10.0.1.10:3979
10.200.1.200:3979 216.115.100.103:80
tcp
-
3590
10.0.1.10:3987
10.200.1.200:3987 216.115.100.102:80
tcp
3590
10.0.1.10:3981
216.115.100.103:80 -
10.200.1.200:3981
tcp
3590
10.0.1.10:3985
216.115.100.102:80 -
10.200.1.200:3985
tcp
1013
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
tcp
-
3589
10.0.1.10:3976
10.200.1.200:3976 72.30.38.140:80
44
DO NOT REPRINT
FORTINET
tcp
3591
10.0.1.10:3996
10.200.1.200:3996 184.150.187.99:80 -
tcp
3554
10.0.1.10:3967
10.200.1.200:3967 74.125.228.65:80 -
tcp
-
3590
10.0.1.10:3990
10.200.1.200:3990 216.115.100.103:80
tcp
-
3591
10.0.1.10:3978
10.200.1.200:3978 216.115.100.103:80
tcp
-
3590
10.0.1.10:3980
10.200.1.200:3980 216.115.100.103:80
Note that the outgoing connections from the Windows server are now being NATed with the VIP
address as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP.
That is, when you enable SNAT on a policy, a VIP static NAT takes priority over the destination
interface IP address.
45
DO NOT REPRINT
FORTINET
INTERNAL_HOST_EXT_IP
Type
Overload
External IP Range/Subnet:
10.200.1.100
Once the policy settings have been entered click OK to save the changes.
2. Go to Policy & Objects > Policy > IPv4, and right-click the outgoing General Internet Access
policy. Select Copy Policy, then right-click the same policy again and select Paste > Above.
3. Select the new copy of the General Internet Access policy and configure these settings:
Incoming Interface:
port3
Source Address:
STUDENT
Outgoing Interface:
port1
Destination Address:
all
Schedule:
always
Service:
ALL
Action:
ACCEPT
Log Options:
Enable NAT:
Enabled
INTERNAL_HOST_EXT_IP
Comments:
Click OK to save the changes. Verify that you have enabled it.
4. FortiGate does stateful inspection, so any existing sessions will not use this new firewall policy
until they time out or you manually clear the session table. You can do this either individually from
the session widget on the dashboard, or clear the entire list from the CLI:
diag sys session filter src 10.0.1.10
diag sys session clear
5. Connect to a few web sites such as http://yahoo.com/. From the CLI on the Student FortiGate,
verify the source NAT IP address that those sessions are using:
# get system session list
46
DO NOT REPRINT
FORTINET
Sample Output:
STUDENT # get system session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp
-
3599
10.0.1.10:3963
10.200.1.100:64379 74.125.225.126:443
tcp
-
3599
10.0.1.10:3961
10.200.1.100:64377 74.125.225.111:443
tcp
3552
10.0.1.10:3953
10.200.1.100:64369 76.74.133.167:80 -
tcp
-
3597
10.0.1.10:3956
10.200.1.100:64372 74.125.225.118:80
tcp
-
3597
10.0.1.10:3954
10.200.1.100:64370 74.125.225.117:80
tcp
3598
10.0.1.10:3959
10.200.1.100:64375 199.7.57.72:80
tcp
16
10.0.1.10:3948
10.200.1.100:64364 66.36.238.121:22 -
tcp
-
3598
10.0.1.10:3958
10.200.1.100:64374 209.85.225.84:443
tcp
-
3599
10.0.1.10:3962
10.200.1.100:64378 74.125.225.99:443
tcp
-
10.0.1.10:3960
10.200.1.100:64376 98.139.200.238:80
tcp
-
3597
10.0.1.10:3955
10.200.1.100:64371 74.125.225.118:80
Notice that the source NAT address is now 10.200.1.100 as configured in the VIP pool, and the IP
pool has overridden the static NAT VIP.
47
DO NOT REPRINT
FORTINET
48
DO NOT REPRINT
FORTINET
12. Go to User & Device > Device > Device Group. Note that your device is already a member of
several predefined device groups.
Click Create New and add a new device group called myDevGroup.
Add myDevice to the Members list and click OK.
Note that your device is still a member of the predefined groups and is now a member of the
custom group myDevGroup.
13. Return to the outgoing general internet access policy and configure it to use your permanent
device or static device group. Check that your traffic is unaffected by this change.
49
DO NOT REPRINT
FORTINET
Firewall Authentication
Lab 1: User Authentication
In this lab, you will learn how to authenticate users with FortiGate.
Objectives
Time to Complete
Estimated: 20 minutes
50
DO NOT REPRINT
FORTINET
2. Open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin.
http://10.0.1.254/
3. Restore the configuration file that is required by this lab:
Resources\Firewall-Authentication\Student\student-auth.conf
FortiGate will reboot.
4. Log in again. Review the user configuration for this lab.
Go to User & Device > User > User Definition to review the local user settings
Go to User & Device > User Group > User to review the user group configuration.
Note: You should find that there is 1 user, 1 group and 2 firewall policies. The
second firewall policy is disabled. Do not change either of the firewall policies
at this time.
5. Go to the System > Network > DNS Server and delete the entry for port3.
6. Confirm that the user is properly configured by using the CLI command
diag test auth local training Student F0rtinet
The command should return a successful result if the proper configuration has been loaded.
Note: The second character in Fortinet (the password) is a zero 0, and not a
letter.
Note: Both the username and password are always case sensitive, on a
FortiGate.
7. On the Win-Student server, open a web browser and connect to a new web site.
You should observe that the website does not display and you receive a timeout.
8. Open a command prompt and try to ping a website by its domain name. For example:
51
DO NOT REPRINT
FORTINET
http://www.hotmail.com/
You should find that the computer is unable to resolve the hostname to an IP address.
9. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4 and review the outgoing
port3 port1 firewall policy with authentication configured.
Add DNS as an allowed service and apply the change to that policy.
Go back to the windows command prompt and attempt to ping by name again. Now the behavior
is that the hostname can be resolved but the ping still times out because the policy does not allow
ICMP.
Note: FortiGate allows DNS to pass through the policy even though
authentication has not succeeded yet.
10. On the Win-Student server, open a web browser. Connect to a new web site.
At the login prompt, enter the following credentials:
Username:
Student
Password:
F0rtinet
You should observe that after successful authentication, FortiGate redirects your browser to the
web site that you requested.
11. On the Student FortiGate, go to User & Device > Monitor > Firewall to view the details of the
authenticated user along with some details about their IP address, how much traffic they have
sent, what method of authentication was used and so on.
If you right-click the columns at the top, you can find more information that can be added to the
display.
12. Go to System > Network > DNS Server. Add a new DNS service entry for port3 that is set to
Forward to System DNS.
13. On the Win-Student computer, open the Windows CLI and type the following command
Use_Internal_DNS
You should see output similar to this:
14.From the CLI, view the IP addresses and users which have successfully authenticated to the
FortiGate unit with the following command:
diag firewall auth list
Clear all authenticated sessions with the following command:
diag firewall auth clear
FortiGate I Student Guide
52
DO NOT REPRINT
FORTINET
53
DO NOT REPRINT
FORTINET
Note: Verify that you are not authenticated through the FortiGate before you begin.
Use either the User Monitor in the GUI or the CLI command from the previous exercise
in order to de-authenticate.
1. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4.
Edit the second policy (which does not have authentication enabled and is slightly greyed out
currently) and enable it.
You can go into the policy select Enable this policy at the bottom and then apply the change, or
right click the Seq # and select Enable.
2. On the Windows desktop, open a web browser and connect to a new web site
You should observe that, unlike before, FortiGate doesn't ask you to authenticate. However, you
can still access the website even though the first policy has authentication enabled.
This illustrates the behavior of authentication and how it interacts with the Firewall policies. The
source for the first policy is your IP AND all users in the training group. You have not
authenticated yet, so your traffic does not match the source for that policy. The second policy will
match all IPs and has no authentication options enabled, so it matches your traffic and allows the
connection through.
Since FortiGate found a policy match with just the source IP, it does not force a login.
3. On the Student FortiGate's GUI, go to System > Network > Interfaces and edit the port 3 interface.
Set the Security Mode to Captive Portal and click OK to save the change
4. Open a web browser and connect to a new web site
FortiGate should prompt you to log in. Use the same credentials as the previous exercise.
Note: If you are not prompted to login, refer to step 1
5. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the first firewall policy.
Change the source to STUDENT_FALSE and the group to training.
54
DO NOT REPRINT
FORTINET
55
DO NOT REPRINT
FORTINET
SSL VPN
Lab 1: SSL VPN
In this lab, you will manage user groups and portals for the SSL VPN.
Objectives
Time to Complete
Estimated: 30 minutes
56
DO NOT REPRINT
FORTINET
ssl.root
Source Address:
all
Source User(s):
Training_One
Outgoing Interface:
Port1
5. Under VPN > SSL > Settings, review the authentication rules at the bottom. This allows all users
that authorized to login, access to the web-acess portal.
6. To observe the effect of this policy you will now access the SSL VPN. On the Win-Remote
computer, open a web browser and access the SSL VPN by browsing to:
https://10.200.1.1/
Accept the security warnings for the self-signed certificate and log in using the following
credentials:
Username:
Student
Password:
F0rtinet
You should notice that you are successfully able to log in, but the web portal is currently in
default settings. You will now configure the web-access portal which is selected in the SSL
VPN policy.
7. Log out and return to the Win-Student computer.
8. In the GUI of the Student FortiGate, go to VPN > SSL > Portals and select web-access and
Edit to modify the settings for this portal. Create the following bookmarks for the internal server.
First Bookmark:
57
DO NOT REPRINT
FORTINET
Category:
Test
Name:
Linux Website
Type:
HTTP/HTTPS
URL:
10.200.1.254
Click OK.
Second Bookmark:
Category:
Test
Name:
Type:
RDP
Host:
10.0.1.10
Click OK.
Click OK at the bottom of the page to save the bookmarks on this portal.
9. Test the SSL VPN access again from the Win-Remote computer by browsing to:
https://10.200.1.1
You should now observe that you have two bookmarks listed.
10. Select the Linux Website bookmark and examine the items listed below to understand how the
web access functions.
Note: Do not use the Student computer website yet. It will be tested in the next exercise.
Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.200.1.254/
The first part of the address is the encrypted link to the FortiGate SSL VPN gateway:
https://10.200.1.1/
The second part of the address is the instruction to use the SSL VPN HTTP proxy:
.../proxy/http...
The final part of the address is the destination of the connection from the HTTP proxy:
.../ 10.200.1.254/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to
the final destination from the HTTP proxy is in clear text.
11. Return to the Win-Student computer and from the GUI on the Student FortiGate, go to VPN >
Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection.
Note the User, Source IP and Begin Time.
Log the user out by selecting their name and clicking Delete.
58
DO NOT REPRINT
FORTINET
Student2
Password:
F0rtinet
4. To observe the effect of these changes, access the SSL VPN again. Login with both the Student
and Student2 users.
What do you see when you login? You should see the same portal as in the previous exercise.
Why?
The portal mapping rules have all users accessing the web-access portal.
5. Under VPN > SSL > Settings create a new mapping for a user group and portal:
Users/Group:
Training_Two
Portal
full-access
After adding the mapping rule, click OK to go back to the settings page, then click APPLY to
save the changes.
59
DO NOT REPRINT
FORTINET
Note: If you click OK but do not click APPLY, then FortiGate will not save the changes
you make to the portal mapping rules.
6. Logout out of the SSL VPN portal (if you havent already) and login again. Be sure to use the
Student2 user credentials from step 1.
You should now observe that the portal established is the full-access portal, which has different
widgets and options enabled then the web-access portal.
60
DO NOT REPRINT
FORTINET
ssl.root
Source Address:
all
Source User(s):
Training_One,Training_Two
Outgoing Interface:
port3
Destination Address
STUDENT_INTERNAL
Schedule
always
Service
ALL
Action
Accept
4. Go back to the SSL VPN portal and select the Student Computer Website again.
FortiGate should now allow the web site to display because traffic is now allowed to pass from
ssl.root to port3.
5. Log out of the SSL VPN portal.
6. In your browser enter the IP 10.0.1.10
The browser's connection will timeout because there is no access to the Win-Student computer
from the Win-Remote computer.
7. Log back into the SSL VPN portal as student2.
Once the login has finished, activate the SSL VPN Tunnel
Note: To do this, you must install the SSL VPN adapter.
61
DO NOT REPRINT
FORTINET
Objectives
Time to Complete
Estimated: 30 minutes
62
DO NOT REPRINT
FORTINET
63
DO NOT REPRINT
FORTINET
lookup, and therefore FortiGate selects the remote interface. A route is driving the traffic to the
IPsec interface.
9. Go to Router > Monitor and view the current routing table. You will observe a static route to the
destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy-based VPN
which we will review next.
Usually, route-based VPNs are preferred, but there are a few exceptions where you would need to
use a policy-based VPN. These will be discussed later.
10. Open a web browser on the Windows server. Connect to the GUI on the Remote FortiGate device.
11. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate
device. You should observe a tunnel named student with the destination 10.200.1.1 and the
Status is up.
This is the tunnel that this FortiGate established with the Student FortiGate.
12. Go to System > Network > Interface. Notice there is no tunnel sub-interface for port4.
13. Go to Route > Monitor and view the current routing table. Notice that there is no specific route for
10.0.2.0/24; there is only a default route.
How is the traffic entering the tunnel then?
14. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy
from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24
(STUDENT INTERNAL) with action IPsec.
Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to
allow traffic inbound as well as outbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate, a static route was sending traffic to the IPsec virtual interface. Here
there is no static route. Instead, the policy setting is sending traffic to the VPN.
The IPsec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel
student.
15. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPsec
configuration. Note the Phase 1 and Phase 2 IKE objects.
You can also view these settings from the CLI:
conf vpn ipsec phase1-interface
conf vpn ipsec phase2-interface
16. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that
IPsec Interface Mode is not selected.
The Phase1 IKE object is the IPsec tunnel referenced in the IPsec firewall policy. Here we are
using policy-based on the Remote FortiGate device and interface-based on the Student
FortiGate device. The type we use is of local significance therefore we can mix them, as is the
case in this example.
17. From the remote Windows desktop, attempt to run a continuous ping to: 10.0.1.10.
You should observe this ping fails. Can you identify why?
64
DO NOT REPRINT
FORTINET
If the VPN is in tunnel mode, then FortiGate uses only 1 firewall policy to allow both incoming and
outgoing traffic. But if the policy is in interface mode, then you must have 2 separate VPN firewall
policies: one to allow inbound, and one to allow outbound communication.
On the Student FortiGate, we have only configured the outgoing policy. The VPN is in interface
mode. So FortiGate drops the new incoming connection: there is no firewall policy to allow it.
18. Return to the Student FortiGate. Add the missing firewall policy.
You should observe that the ping now succeeds.
65
DO NOT REPRINT
FORTINET
Objectives
Use a PAC file to configure the Internet browser to use the web proxy
Time to Complete
Estimated: 30 minutes
66
DO NOT REPRINT
FORTINET
Web
Source Address
STUDENT_INTERNAL
Outgoing Interface
port1
Destination Address
all
Action
AUTHENTICATE
Student
Schedule
always
67
DO NOT REPRINT
FORTINET
10.0.1.254
Port
8080
Enable the option Use this proxy server for all protocols.
Additionally, add the subnet 10.0.1.0/24 to the No Proxy for list. This list contains the names, IP
addresses and subnet of web sites that will be exempted from using the proxy:
Click OK.
68
DO NOT REPRINT
FORTINET
10. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials:
User Name
Student
Password
F0rtinet
After that, you should have Internet access through the explicit web proxy.
Note: The second character in Fortinet (the password) is a zero 0, and not a letter.
Both the username and password are always case sensitive.
11. While browsing different web sites, type the following CLI command to check the list of active web
proxy users:
# diagnose wad user list
You can also check this list from the GUI, by going to User & Device > Monitor > Firewall.
12. Type these CLI commands to list some web proxy sessions:
diagnose sys session filter clear
diagnose sys session filter dport 8080
diagnose sys session list
You can also use the grep command to display only the source and destination IP addresses and
ports for each session:
diagnose sys session list | grep hook=pre
Why is the source IP address of all those sessions 10.0.1.10?
Why is the destination IP address of all those sessions 10.0.1.254?
Why dont we see any public IP address listed in those sessions?
13. While browsing a HTTP site, type these other commands to list another set of proxy sessions:
diagnose sys session filter clear
diagnose sys session filter dport 80
diagnose sys session list | grep hook=out
Why is the source IP address of all these sessions 10.200.1.1?
Why dont we see the IP address of Windows server (10.0.1.10)?
Tip: In the case of explicit web proxy, for each connection to a web site, two sessions are
created with the FortiGate: one from the client to the proxy, and another one from the
proxy to the server.
69
DO NOT REPRINT
FORTINET
Select the file proxy.pac in the folder Resources\Explicit-Web-Proxy. Click Import, then Apply.
3. Click the pencil icon again to look at the imported PAC file:
Click Apply to save all the changes in the explicit proxy configuration.
Note: The second line in the PAC file specifies that the browser will not use a proxy to
reach the servers in the subnet 10.0.0.0/8. The next line configures the browser to use
the FortiGate proxy for any other subnet or URL.
FortiGate I Student Guide
70
DO NOT REPRINT
FORTINET
4. Open Mozilla Firefox options again. Select the Advanced > Network tab and click Settings.
Select the option Automatic proxy configuration URL then type:
http://10.0.1.254:8080/proxy.pac
Click OK.
5. Close Firefox and open it again. Try to browse any web site in the Internet. The traffic will go
through the FortiGate proxy. If FortiGate asks you to authenticate, use the same Student account.
6. Connect now a web site in the network 10.0.0.0/8. The browser will not use the proxy and will
send the HTTP request directly to the server. Try with this server:
http://10.200.1.254
It is not working. There is something missing in the FortiGate configuration. Do you know what it
is?
7. Go to Policy & Objects > Policy > IPv4 add the following firewall policy:
Incoming Interface
port3
Source Address
STUDENT_INTERNAL
Outgoing Interface
port1
Destination Address
All
Schedule
Always
Service
ALL
Action
ACCEPT
NAT
Enabled
71
DO NOT REPRINT
FORTINET
72
DO NOT REPRINT
FORTINET
Antivirus
Lab 1: Antivirus Scanning
In this lab, you will work with both flow-based and proxy-based antivirus scanning.
Objectives
Time to Complete
Estimated: 30 minutes
73
DO NOT REPRINT
FORTINET
74
DO NOT REPRINT
FORTINET
The EICAR file is an industry-standard used to test antivirus detection with an undamaging test
file. The file contains the following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
12. FortiGate shows the HTTP virus message when it blocks or quarantines infected files. In the
message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information
about the detected virus.
13. From the GUI on Student FortiGate, go to Log & Report > Traffic Log > Forward Traffic and locate
the antivirus event messages.
In order to view summary information of the antivirus activity, add the Advanced Threat Protection
Statistics widget to the dashboard.
14. On the EICAR web page, click Download ANTI MALWARE TESTFILE and then click the
Download link that appears on the left. This time, select the eicar.com file from the Download area
using the secure SSL enabled protocol HTTPS section.
Your download should succeed. FortiGate should not block the file, because we have not enabled
full SSL inspection.
15. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy &
Objects > Policy > SSL/SSH Inspection, edit the default profile, set the Inspection Mode to Full
SSL Inspection and make sure that HTTPS is enabled and set to port 443.
Click Apply.
16. To ensure that there are no existing sessions prior to deep scanning the communication
exchange, connect to the CLI of the Student FortiGate and enter the following command:
diag sys session filter dport 443
diag sys session clear
This will clear out all the HTTPS(port 443) sessions on the firewall, in case the webserver did not
properly close down the communications.
17. Return to the EICAR web page and attempt to download the eicar.com file from the Download
area using the secure SSL enabled protocol HTTPS section.
This time, FortiGate should block the download and replace it with a message. If it doesn't, you
may need to clear your cache. In Firefox, select History > Clear Recent History > Everything.
18. In order to see the block page you will need to allow the certificate warning. Encrypted
protocols are designed to prevent eavesdropping.
75
DO NOT REPRINT
FORTINET
6. On the GUI of the Student FortiGate, locate the logs for the detection of this file.
With Flow based virus scanning, data from the file has already been sent to the client so no
immediate block message/page may be possible, depending on the protocol being scanned.
76
DO NOT REPRINT
FORTINET
Web Filtering
Lab 1: Web Filtering
In this lab, you will configure web filtering to block specific categories of content. The interaction of
local categories and overrides will also be demonstrated.
Lab Objectives
Time to Complete
Estimated: 30 minutes
77
DO NOT REPRINT
FORTINET
78
DO NOT REPRINT
FORTINET
7. Verify that the rating of the website www.bing.com is NOT pornography by going to the URL
http://www.fortiguard.com/static/webfiltering.html and checking.
You will find that Bing is not rated as pornography and that the category it belongs to has a
monitor action rather than block.
8. From the CLI on the Student FortiGate, examine the FortiGate's behavior:
diag debug application url 255
diag debug enable
Access the website www.bing.com again. The diagnostic output will indicates that the URL
matches a local rating.
9. In the GUI on the Student FortiGate device, go to Security Profiles > Advanced > Web Rating
override
You will find and entry for www.bing.com which assigned the category of Pornography.
10. Edit the Rating override for www.bing.com and set the category to Potentially Liable and the subcategory to Proxy Avoidance.
11. access the website http://www.bing.com again
This time, the block page will give you the option to Proceed. Click Proceed and enter the
following user credentials
User: Student
Password: F0rtinet
Note: If you receive a certificate warning, be sure to allow it.
12. In the GUI on the Student FortiGate device, go to Log & Report > Security Log > Web Filter.
FortiGate I Student Guide
79
DO NOT REPRINT
FORTINET
If you examine the actions taken in the logs you will find that initially a Block action shows up.
However, more recent logs show a different action.
13. Edit the web filter profile and select Flow-based. A notification is displayed as follows:
Click OK on this pop-up and then click Apply at the bottom of the profile.
14. Test the behavior of the flow based inspection by connecting to www.bing.com again.
15. Go to Security Profiles > Advanced > Web Rating override and delete the entry for:
http://www.bing.com
Access www.bing.com again.
16. In the GUI on the Student FortiGate device, go to Security profiles > Monitor > Web Monitor.
Review the output. You can click on the charts in order to get additional information on what is
being displayed.
Note: If you not have the Monitor menu then this feature is disabled in the GUI and must be
enabled from the CLI:
config system global
set gui-utm-monitors enable
end
80
DO NOT REPRINT
FORTINET
Scope: IP
81
DO NOT REPRINT
FORTINET
Application Control
Lab 1: Application Identification
In this lab, you will use the application control feature to properly identify an application.
Objectives
Time to Complete
Estimated: 30 minutes
82
DO NOT REPRINT
FORTINET
Application Override
Myspace
Category
Video/Audio
83
DO NOT REPRINT
FORTINET
84
DO NOT REPRINT
FORTINET
3. Refresh the Google Translate page. FortiGate should insert a replacement message from
application control about the application being blocked.
4. Go to Security Profiles > Application Control > Application Sensor and edit the default profile.
Disable replacement messages for HTTP-based applications, then click OK.
5. Refresh the Google Translate page. The browser should display an error message, telling you that
the connection was reset.
Note: Depending on which browser you use for the test the wording and nature of the
error will vary.
6. Open a browser window. Go to http://www.myspace.com
Since there is no longer an HTTP-based block message enabled, the 2 signatures will behave
differently based on the configured action.
7. Go to Security Profiles > Application Control > Application Sensor and edit the default profile.
Enable replacement messages for HTTP-based applications, then click OK.
8. Refresh both websites. This time, the browser should display a block message.
9. Access Google Translate over HTTPS:
https://translate.google.com
This connection should succeed. In order for this signature to detect access over encrypted
communications (HTTPS), SSL inspection must be enabled.
85
DO NOT REPRINT
FORTINET
http://training.fortinet.com
Technical Documentation
http://help.fortinet.com
Knowledge Base
http://kb.fortinet.com
Forums
https://support.fortinet.com/forum
https://support.fortinet.com
http://www.fortiguard.com
86
DO NOT REPRINT
FORTINET
87
DO NOT REPRINT
FORTINET
In this lesson, we will show FortiGate administration basics. This includes how and where FortiGate
fits into your existing network architecture.
88
DO NOT REPRINT
FORTINET
After completing this lesson, you should have these practical skills in FortiGate administration
fundamentals, such as how to log in, make administrator accounts, do basic network settings, and how
to use your FortiGates GUI or CLI.
Youll also be able to set up FortiGate to act as your local networks DNS or DHCP server.
Lab exercises can help you to test and reinforce your skills.
89
DO NOT REPRINT
FORTINET
90
DO NOT REPRINT
FORTINET
91
DO NOT REPRINT
FORTINET
In this architecture diagram, you can see how FortiGate UTM platforms add strength without
compromising on flexibility they are still internally modular. Plus:
Devices add duplication. Sometimes, dedication doesnt mean efficiency. If its overloaded, can 1
device borrow free RAM on 9 others? Do you want to configure policies, logging, and routing on 10
separate devices? Does 10 times the duplication bring you 10 times the benefit? Or is it a hassle?
FortiGate hardware isnt just off-the-shelf. Its carrier-grade. Underneath, most FortiGate models
have 1 or more specialized circuits called ASICs that are engineered by Fortinet. For example, a CP
or NP chip handles cryptography and packet forwarding more efficiently. Compared to a singlepurpose device with only a CPU, FortiGate can have dramatically better performance.
(The exception? Virtualization platforms VMware, Citrix Xen, Microsoft, or Oracle Virtual Box have
general-purpose vCPUs. But virtualization might be worthwhile due to other benefits, such as
distributed computing and cloud-based security.)
FortiGate is flexible. If all you need is firewalling and antivirus, FortiGate wont require you to waste
CPU, RAM, and electricity on others. In each firewall policy, UTM modules can be enabled or
disabled. You wont pay more to add VPN seat licenses later, either. What requires a subscription?
Only FortiGuard subscription services.
92
DO NOT REPRINT
FORTINET
FortiGuard subscription services give your FortiGate access to 24 x7 security updates powered by
Fortinets researchers. Your FortiGate uses FortiGuard in 2 ways:
By periodically requesting packages that contain a new engine and many signatures, or
By querying the FDN on an individual URL or host name
Queries are real-time that is, FortiGate asks the FDN every time it scans for spam or filtered web sites.
Also, queries use UDP for transport they are connectionless and the protocol is not designed for fault
tolerance, but speed. So they require that your FortiGate have a reliable Internet connection.
Downloaded packages like antivirus and IPS, however, arent that frequent. They use TCP for reliable
transport. And their associated FortiGate features continue to function even if FortiGate does not have
reliable Internet connectivity. Keep in mind, though, that you should still avoid interruptions. If your
FortiGate must try repeatedly to download updates, it cant detect new threats during that time.
93
DO NOT REPRINT
FORTINET
So now weve seen a simplified overview of the software architecture. What about the network
architecture? Where does FortiGate fit in?
When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or
transparent.
In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical network
interfaces have an IP address.
In transparent mode, FortiGate forwards packets at Layer 2, like a switch. So except for the
management interface, its interfaces have no IP address.
Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however.
Well show these later.
94
DO NOT REPRINT
FORTINET
What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should
you choose?
NAT mode is the most common choice. In NAT mode, the destination address is the FortiGates
address. Typically FortiGate will rewrite the destination address, and/or port number and source
address in the IP network layer, into the servers private network address before forwarding the packet
in other words, it will apply NAT and port forwarding. Depending on your presentation and application
layer protocols, it might also:
Terminate SSL or TLS sessions so back-end servers dont need to decrypt
Modify the addresses in the application layer headers, such as the Host: and X-Forwarded-For: in
the HTTP header
So NAT mode works well for edge or gateway security, where you divide your private IPv4 network from
an external network such as guest Wi-Fi or the Internet.
In transparent mode, the destination address is the servers address not a FortiGates interface.
As a result, it usually doesnt need to rewrite encapsulated layers with the exception of TCP SYNrelated analysis. Only the MAC address in the frame is rewritten. So in complex IP environments such as
MSSP or mobile phone carriers, this simplifies deployment. Only the management interface needs an IP
address. But because network-facing interfaces dont have an IP address, you must verify that your
topology doesnt have any loops at Layer 2 Ethernet.
95
DO NOT REPRINT
FORTINET
NAT mode is the default operation mode. What are the other default settings? Once youve removed
your FortiGate from its box, what do you do next?
Lets see how to set up a FortiGate.
Attach your computers network cable to port1 or the internal switch ports (depending on your model) to
begin setup. There is a DHCP server on that interface, so if your computers network settings have
DHCP enabled, your computer should automatically get an IP, and you can begin setup quickly. Every
FortiGate or FortiWifi device has these same default settings. (Note that FortiAP is not the same. Its
covered in a separate lesson.)
To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99.
Remember: The default login is publicly available knowledge. Never leave its default password
blank! Your network is only as secure as your FortiGates admin account. Before you connect your
FortiGate to your overall network, you should set a complex password. You should also restrict it so that
FortiGate allows administrative connections only from your local console or management subnet.
96
DO NOT REPRINT
FORTINET
What happens if you forget the password for your admin account, or a hostile employee changes it?
This recovery method is on all FortiGate devices, and even some non-FortiGate devices like FortiMail.
Its a temporary account, only available through the local console port, and only after a hard reboot
disrupting power by unplugging or switching off the power, then restoring it. FortiGate must be physically
shut off, then turned back on not simply rebooted through the CLI. Thats the difference between a
hard boot and a soft boot.
Even then, the maintainer login will only be available for login for about 30 seconds after boot
completes.
If you cant ensure physical security, or have compliance requirements, you can disable the maintainer
account. Use caution: if you disable maintainer and then lose your admin password, you
cannot recover access to your FortiGate.
97
DO NOT REPRINT
FORTINET
All FortiGate models have a console port. This provides CLI access without a network.
On older models, its a serial port. A standard null modem cable can be used to connect the serial
port to your computers serial port.
On newer models, its an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your
computers serial port to the RJ-45 port on the FortiGate.
In some newer models, the console port is a USB2 port. In that case, youll plug in the USB cable,
then open FortiExplorer.
98
DO NOT REPRINT
FORTINET
Most features are available in both the GUI and CLI. There are a few exceptions. Reports cant be
viewed in the CLI, for example, and diagnostic commands for power users are usually not in the GUI.
What if you dont want to use the GUI?
There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script its
configuration, you may want to use it in addition. You can access the CLI via either the JavaScript widget
in the GUI named CLI Console, or via a terminal emulator such as Tera Term
(http://ttssh2.sourceforge.jp/index.html.en) or PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can connect
via the network SSH or telnet or the local console port.
SNMP and some other administrative protocols are also supported, but they are not used for basic
setup. Lets focus on setup now.
99
DO NOT REPRINT
FORTINET
As an alternative GUI during setup, you can plug in your smart phone, and use FortiExplorer.
FortiExplorer isnt a complete configuration tool for all devices. Its focus is deployment configuring
network addresses and routing. After that, your FortiGate can be integrated into the network, and you
can continue by configuring firewall policies, security profiles and other features.
100
DO NOT REPRINT
FORTINET
There are a few supported platforms for the FortiExplorer software. This is what FortiExplorer looks like
when you are running it on a Windows laptop.
On the left side, you can see that FortiExplorer can fully update device firmware and configure its
network settings so that FortiGate is prepared for you to plug it into your network.
101
DO NOT REPRINT
FORTINET
Whichever method you use, start by logging in as admin. Begin by creating accounts for other
administrators.
Its not shown here, but alternatively, instead of creating accounts on FortiGate itself, you could configure
FortiGate to query a remote authentication server. You could also require personal certificates,
authenticated via your PKI certificate authority, instead of passwords.
Choose strong, complex passwords. For example, you could use multiple interleaved words with varying
capitalization, and randomly insert numbers and punctuation. Do not use short passwords, nor
passwords that contain names, dates, or words that exist in any dictionary. These will be very
weak against brute force attacks. To audit the strength of your passwords, use tools such as l0phtcrack
(http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers brute
forcing your firewall is especially high if you connect the management port to the Internet.
In order to restrict access to specific features, you can assign permissions.
102
DO NOT REPRINT
FORTINET
When assigning permissions in an access profile, you can specify read-and-write, read-only, or no
access to each area.
By default, there is a special profile named super_admin, which is used by the account named admin.
It cannot be changed. It provides full access to everything, making the admin account similar to a root
superuser account.
prof_admin is another default profile. It also provides full access, but unlike super_admin, it only
applies to its virtual domain not the global settings of the FortiGate. Also, its permissions can be
changed.
You arent required to use a default profile. You could, for example, create a profile named
auditor_access with read-only permissions. Restricting a persons permissions to those necessary for
his or her job is a good best practice, because even if that account is compromised, the compromise is
not complete. To do this, create administrative access profiles, then select the appropriate profile when
configuring an account.
103
DO NOT REPRINT
FORTINET
104
DO NOT REPRINT
FORTINET
105
DO NOT REPRINT
FORTINET
FortiToken is not the only option if you want to use two-factor authentication. Remember, two-factor
authentication literally only means that you use two methods to verify the persons identity.
Alternatively, FortiGate can send an email to the administrators address, or send a text message.
To be able to do this, you must first configure FortiGate with the settings of a mail server that it can use
to send email, or an SMS server. The mail server can be configured under System > Config >
Messaging Servers in the GUI, or the CLI. SMS settings however are CLI-only.
106
DO NOT REPRINT
FORTINET
Another way to secure your FortiGate is to define which hosts or subnets are trusted sources of login
attempts.
Define all three, for all accounts. (If you leave any IPv4 address as 0.0.0.0/0, this means to allow
connections from any source IP obviously not what you want.) Notice that each account can define its
management host or subnet differently. This is especially useful if you will be setting up virtual domains
on your FortiGate, where the VDOMs administrators may not even belong to the same organization..
Now try to access FortiGates GUI or CLI from an external IP. Does it work? No. Your web browser or
terminal emulator wont receive a response. Not even to a ping.
Unless you connect from the network administrators subnet, FortiGate wont allow you to even try to log
in. So external brute force is impossible. So is discovery by ICMP.
107
DO NOT REPRINT
FORTINET
You may also want to customize the administrative protocols port numbers.
You can also choose whether to allow concurrent sessions. This can be used to prevent accidentally
overwriting settings if you usually keep multiple browser tabs open, or accidentally leave a CLI session
open without saving the settings, then begin a GUI session and accidentally edit the same settings, for
example.
108
DO NOT REPRINT
FORTINET
Weve defined the management subnet that is, the trusted hosts for each administrator account. How
do you enable or disable management protocols?
This is specific to each interface. For example, if your administrators connect to FortiGate only from
port1, you should disable all administrative access on all other ports. This prevents brute force attempts,
and also insecure access.
For better security, it always best to only use secure, encrypted methods of access. Some protocols
such as telnet, ICMP, HTTP, and SNMP version 1 dont have encryption or even authentication. So
they should never be enabled on public, untrusted networks.
IPv4 and IPv6 protocols are separate. Its possible, for example, to have both IPv4 and IPv6 addresses
on an interface, but only respond to pings on IPv6. However, IPv6 is hidden in the GUI by default. How
do you show IPv6 settings?
109
DO NOT REPRINT
FORTINET
FortiGate has hundreds of features. If you dont use all of them, hiding features that you dont use makes
it easier to focus on your work.
Hiding a feature in the GUI does not disable it. It is still functional, and still can be configured via CLI.
(In fact, many diagnostic features are only available in the CLI.)
Some advanced or less commonly used features, such as IPv6, are hidden by default.
There are 2 ways to show hidden features:
Use the Features widget on the dashboard, or
Go to System > Config > Features
110
DO NOT REPRINT
FORTINET
NGFW shows features for line speed inspection, with no added latency. This hides all UTM options
that can potentially slow down traffic.
ATP shows features for advanced threat protection that focus on protecting endpoint computers.
WF shows features for web filtering.
Full UTM is a present that shows almost all UTM features.
Load balancing and a few others arent enabled here, though. So if the Features widget does not
show the feature youre looking for, go to System > Config > Features instead.
111
DO NOT REPRINT
FORTINET
Once you have administrator accounts, they can configure the network interfaces.
Remember: When the FortiGate device is in NAT/route mode, every interface that handles traffic usually
must have an IP address. This is so that packets with this interface will have a source and destination at
the IP layer. There are 3 ways to do this:
assign a static IP, or
automatically retrieve one, via either DHCP or PPPoE
As we mentioned earlier, there are 2 exceptions. Other, less commonly used are One-Arm Sniffer and
Dedicate to FortiAP. Unlike how interfaces are usually in NAT mode, these arent assigned an address.
One-Arm Sniffer is an interface in promiscuous mode. As a result, regardless of each packets
destination address, FortiGate can inspect all traffic that arrives. So although the overall FortiGate is
in NAT mode, acting as a router, this specific interface does not. It receives traffic, but cannot send.
There are more considerations, which are in the IPS lesson.
Dedicate to FortiAP creates both an access point controller and DHCP server. Clients
connecting to SSIDs managed through this interface receive an IP address from the pool on this
interface.
112
DO NOT REPRINT
FORTINET
Wireless clients arent the only ones that can use FortiGate as their DHCP server.
Select the Manual option, enter a static IP, then enable the DHCP server option. Options for the builtin DHCP server will appear.
113
DO NOT REPRINT
FORTINET
For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC
addresses. Those devices will always receive the same lease, unless the number of devices exceeds
the size of the IP pool.
114
DO NOT REPRINT
FORTINET
For detailed information about the MAC addresses and the corresponding IPs, you can look in the router
subsection of the event log, or in the DHCP Monitor, which you can find in the System menu.
115
DO NOT REPRINT
FORTINET
Like with DHCP, you can also configure FortiGate to act as your local DNS server.
A local DNS server can improve performance for your FortiMail or other devices that use DNS queries
frequently. If your FortiGate offers DHCP to your local network, DHCP can be used configure those
hosts to use FortiGate itself as both the gateway and DNS server.
FortiGate can answer DNS queries in one of 3 ways:
by relaying all queries that is, acting as a DNS relay instead of a DNS server
by relaying queries only the queries it cant resolve to your ISPs DNS server,
by returning a null response if it cant resolve queries itself.
You can enable and configure DNS separately on each interface.
116
DO NOT REPRINT
FORTINET
If you choose the DNS forwarding option, you can control DNS queries within your own network without
having to setup a separate DNS server.
117
DO NOT REPRINT
FORTINET
If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set up a
DNS database on your FortiGate.
This defines the host names that FortiGate will resolve queries for. Use zone file syntax outlined by
RFCs 1034 and 1035.
118
DO NOT REPRINT
FORTINET
Lastly, before you can integrate FortiGate in your network, FortiGate must have a default gateway.
If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it will also
retrieve the default gateway.
Otherwise you must configure a static route. Without this, the FortiGate will not be able to respond to
packets outside the subnets directly attached to its own interfaces. It probably also wont be able to
connect to FortiGuard for updates, and may not properly route traffic.
Routing details are covered in another lesson. For now, you should usually make sure that FortiGate has
a route that matches all packets (destination is 0.0.0.0/0), and forwards them through the network
interface that is connected to the Internet, to the IP address of the next router.
Routing completes the basic network settings that are required before you can configure firewall policies.
119
DO NOT REPRINT
FORTINET
Now that FortiGate has basic network settings and administrative accounts, lets show how to back up
the configuration.
You can encrypt configuration files with a password, if necessary. Besides securing the privacy of your
configuration, it also has some effects you may not expect. Once encrypted, the configuration file cannot
be decrypted without the password and a FortiGate of the same model and firmware. This means that if
you send an encrypted configuration file to Fortinet Technical Support, even if you give them the
password, they still cannot load your configuration until they get access to the same model of FortiGate.
This can cause unnecessary delays when resolving your ticket.
Even if the configuration is not encrypted as a whole, each passwords is encrypted individually. So in
many cases, encrypting the entire configuration file may not be necessary.
120
DO NOT REPRINT
FORTINET
If you open the configuration file in a text editor, youll see that both encrypted and unencrypted
configuration files contain a clear text header that contains some basic information about the device. The
diagram here shows what information it includes.
To restore an encrypted configuration, you must upload it to the same model of FortiGate, with the same
firmware version, then provide the password.
To restore an unencrypted configuration file, you are only required to match the model. If the firmware is
different, FortiGate will attempt to upgrade the configuration, similar to how it uses upgrade scripts on the
existing configuration when upgrading firmware.
Usually, the configuration file only contains non-default settings, plus a few default yet crucial settings.
This minimizes the size of the backup, which could otherwise be several MB in size.
121
DO NOT REPRINT
FORTINET
If you enable virtual domains, subdividing the resources and configuration of your FortiGate, each VDOM
administrator can back up and restore their own configurations. You dont have to back up the entire
FortiGate configuration.
VDOM details are discussed in a separate lesson.
122
DO NOT REPRINT
FORTINET
Upgrading the firmware on a FortiGate is simple. The easiest method is to click the Update link on the
System Information widget on the dashboard, then choose a firmware file that you have downloaded
from support.fortinet.com.
If you want to make a clean install by overwriting both the existing firmware and its current
configuration, you can do this via the local console CLI, within the boot loader menu, while FortiGate is
rebooting. However, this is not the usual method.
123
DO NOT REPRINT
FORTINET
You can also downgrade firmware. Since settings change in each firmware version, you should have a
configuration file in the syntax that is compatible with the firmware.
Remember to read the release notes. Sometimes a downgrade between firmware versions that
preserves the configuration is not possible, such as when the OS changed from 32-bit to 64-bit. In that
situation, the only way to downgrade is to format the disk, then reinstall.
Once youve determined the downgrade is possible, verify everything again, then start the downgrade.
After it completes, restore a configuration backup that is compatible with that version.
Why should you keep emergency firmware and physical access?
Old firmware versions dont know how to convert future configurations. Also, when upgrading via a path
that is not supported by the configuration translation scripts, you might lose all settings except basic
access settings such as administrator accounts and network interface IP addresses. Another rare but
possible scenario is that the firmware could be corrupted when you are uploading it. For all of those
reasons, you should always have local console access during an upgrade, in case of emergency.
However, in practice, if you read the Release Notes and have a reliable connection to the GUI or CLI, it
should not usually be necessary.
124
DO NOT REPRINT
FORTINET
Remember your initial setup via FortiExplorer? You can also use it to download firmware, then install it
on your FortiGate.
125
DO NOT REPRINT
FORTINET
126
DO NOT REPRINT
FORTINET
In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and
network traffic. Since you are implementing a security solution, it is important to know how to
appropriately monitor the devices operation. It is vital to have logging and monitoring configured
properly and to know how to read the output. Otherwise if you encounter issues, you wont have any
messages from FortiGate to help you find out what is happening in your network.
127
DO NOT REPRINT
FORTINET
128
DO NOT REPRINT
FORTINET
The basic purpose of logs is to help you monitor your network traffic levels, track down problems,
establish baselines and a lot more.
Think of your own internal organization, where it is highly probable that more than one administrator
has access to your FortiGate device. Since it is not practical to block other administrators from making
changes to your FortiGate configuration, you can simply view the log files to find out what is
happening on the deviceincluding any changes that were made. Logs help provide you with the big
picture so you can make adjustments to your network security, if necessary.
Keep in mind that some organizations have legal requirements when it comes to logging, so it is
important to be aware of your organizations policies during configuration.
129
DO NOT REPRINT
FORTINET
Each log entry includes a log level that ranges in order of importance from Debug to Emergency. In
total there are eight levels. Debug, the lowest level, puts additional information into the event log and
is worthless unless you are actively investigating something. Debug is only needed to log diagnostic
data, puts more strain on the CPU resources, and requires additional resources to create. Generally
the lowest level you want to use is Information.
You and your organizations policies dictate what needs to be logged.
130
DO NOT REPRINT
FORTINET
You can choose to store logs in a variety of places both on and off the device. Locally, the FortiGate
device has memory and many devices have a built-in hard drive. Externally, you can store logs on
Syslog Servers, FortiCloud, SNMP, or a FortiAnanlyzer device.
131
DO NOT REPRINT
FORTINET
132
DO NOT REPRINT
FORTINET
So far, weve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices
for the FortiGate. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is
identicalthey share a common hardware and software platformthe FortiAnalyzer and
FortiManager actually have different capabilities that are worth noting. Both take log entries, but a
FortiManagers primary purpose is to centrally manage multiple FortiGate devices. As such, it has a
flat limit imposed on the amount of logs it can receive in a day, regardless of the model. On the other
hand, the FortiAnalyzers primary purpose is to store and analyze logs, so the log limit is much higher
(though the limit is model-dependent). Even the smallest FortiAnalyzer can handle more logs per day
than any FortiManager.
But at the most basic level, what you can do with the logs received on a FortiManager is no different
than what you can do with logs received on a FortiAnalyzer.
The FortiGate has 2 methods for transmitting the log events. There is the store-and-upload option, as
well as real time.
133
DO NOT REPRINT
FORTINET
You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI.
In the GUI, it is done under Log & Report > Log Config > Log Settings. Here, each device must be set
up separately, one at a time.
In the CLI, you can configure up to three separate FortiAnalyzer or FortiManager devices at the same
time. The options in the GUI only relate to the config log fortianalyzer setting, not fortianalyzer2 or
fortianalyzer3. You may need a setup like this for redundancy or for some other requirement. Keep in
mind that generating logs requires resources, so the impact of sending logs to multiple locations
ultimately depends on how many logs you are creating.
134
DO NOT REPRINT
FORTINET
Another external logging option you can use is FortiCloud. FortiCloud is a subscription-based service,
offered by Fortinet, that offers long term storage of logs as well as provides reporting functionality. Its
a similar idea to FortiAnalyzer, but more advantageous for smaller setups, where purchasing a
dedicated logging appliance isnt feasible. Every FortiGate comes with a free one month trial. You can
activate your free trial from the GUI and link it to your FortiCare user and start sending logs. Be sure to
read any documentation on the website if you are considering the subscription-based option.
135
DO NOT REPRINT
FORTINET
On the FortiGate, all logs are split up into three different log types. These are traffic logs, event logs, and
security logs.
Each log type is further split up into sub-types. Traffic logs contain Forward, Local, Invalid and Multicast.
The Forward log contains information about traffic either accepted or rejected by a firewall policy. Local
traffic is traffic directly to/from the FortiGate, and includes logging into the GUI, as well as FortiGuard
queries. Invalid packets are the logs thrown away before they even get to a firewall policy.
Event logs contain System, User, and Router/VPN/WanOpt &Cache/Wifi sub-types. System events are
related to system operations, such as automatic updates of the AV/IPS definitions and people logging
into the GUI. User contains logon/off events for users hitting firewall policies. Router/VPN/WanOpt
&Cache/Wifi contain log entries related to the specific feature. For example, Router contains BGP or
RIP log entries and VPN contains IPSec and SSLVPN log entries.
Finally, Security logs contain log entries based on the security profile type. For example, Antivirus, Web
Filter, and Intrusion Protection to name a few. Security logs only show specific sub-types if logs are
created within it.
136
DO NOT REPRINT
FORTINET
The Log & Report section of the FortiGate GUI includes the three log types: Traffic, Event, and (if
configured), Security. The Traffic Log contains events about packets. The Event Log contains admin or
system activity events. The Security Log contains messages related to security profiles activated on
firewall policies. By default, most of the events related to security appear in the Forward Traffic loga
sub-type of the Traffic Log. This is for performance: fewer log files is less CPU intensive. The exception
to this is DLP and Intrusion Scanning. Events such as these always appear in the Security Log section.
137
DO NOT REPRINT
FORTINET
To inspect your logs through the GUI, go to the Log & Report section and select the log type to view.
In the upper right corner of the window, you can switch between viewing the logs from different
locations if the FortiGate is set up to log to multiple locations.
It is not recommended to configure your firewall to actively inspect traffic without creating a log entry
about it.
138
DO NOT REPRINT
FORTINET
This chart illustrates the expected behavior when you enable different logging options.
The first column, Policy Log Setting, shows the log setting on the Firewall policy: No Log, Log Security
Events, or Log all Sessions.
The second column shows whether an Antivirus, Web Filter, or Email security profile is enabled or
disabled. Remember, DLP and IPS profiles always generate logs in the Security Log section.
The last column shows the behavior. If you enable any profiles on your policy and logging is not enabled,
you will not get logs of any kindeven if the profile is configured to block the traffic. So if you apply a
security profile, its important to remember to consider the logging setting.
139
DO NOT REPRINT
FORTINET
When viewing the logs, you might encounter a high volume of log messages, depending on your
configuration. This makes it difficult to locate a specific log or log type, especially during an
investigation. In order to negotiate the logs more efficiently, you can set up various filters. The more
information you specify in the filter, the easier it is to find the precise log entry. Filters are configured
for each column of data you choose to display. By default only a subset of the information appears in
the log table. Make sure to configure the table columns for your own requirements.
140
DO NOT REPRINT
FORTINET
Every log message you view has a standard layout comprised of two sections: a header and a body.
The header contains the same information regardless of the log. The body, however, changes from
one type of log message to another. This is because there is some data common to all logs, like a
date and time, while other data is event dependent.
141
DO NOT REPRINT
FORTINET
Lets take a closer look at the header in this is an example of a raw log entry. While the output is not
as structured as it appears in the GUI, the information contained in a raw log file is the same. As you
can see in the header, aside from the date, time, and log ID attributes, you can see the that log type is
UTM, the sub-type is DLP, and the severity level is Warning. The attributes in the header (such as log
type and sub-type) are common to every log, but the data aligned to it can be different. For example,
the header can contain a log type of Event and sub-type of System instead of what you see in the
example above. Accordingly, the information in the header of the log directly effects the data
contained in the associated body of the log.
Note that if you log to a 3rd party device, such as a Syslog server, you need to know how to set up
your filters in order to find what you need in your log messages. You can find a document that
contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet.com .
142
DO NOT REPRINT
FORTINET
Now lets take a closer look at the body of a log. The body provides the specifics of the log message
and helps you understand what actually happened. In the above log, we can see the action taken by
the FortiGate device when it encountered the traffic through the status attribute. Here, the status is
Deny, which means the FortiGate prevented this particular piece of traffic from passing. The value
indicated by policyid field provides useful information about the policy this traffic passed through
(which firewall rule was used).
143
DO NOT REPRINT
FORTINET
Rather than look at raw logs or logs through the GUI, you can also display log messages from the CLI.
This allows you to set up a number of filters on the logs that display and capture the output to a file
and send it via the options you specify, such as FTP.
144
DO NOT REPRINT
FORTINET
Monitoring your logs is critical, as it allows you to review the progress of an attack, whether afterwards
or
while in progress, and address the issue quickly. How the attack unfolds may reveal weaknesses in
your preparations.
There are three ways you can monitor logs: Alert Emails, Alert Message Console, and SNMP.
145
DO NOT REPRINT
FORTINET
Since you cant always be physically at the device, you can monitor logs by setting up Alert emails.
Alert emails are set up similar to any log device. First you decide what is going in to them (a filter)
and then where it is going.
146
DO NOT REPRINT
FORTINET
In order to set up an alert email, the first thing you need to do is configure an SMTP server to allow for
communication between the server and the FortiGate device. This can only be done in the CLI.
This allows you to configure your alert email settings in the GUI through the Log & Report > Log
Config > Alert E-mail menu. Without configuring an SMTP server that will receive the email, the alert
email option does not appear in the GUI.
147
DO NOT REPRINT
FORTINET
Another log monitoring option is the alert message console. The Alert Message Console is a GUI
widget that you can enable on the System dashboard. Here, instead of the alerts being emailed to
administrators like in Alert emails, they appear directly in the widget on the System page when you log
in to the FortiGate. You can configure the widget to set up the events you want to appear as alerts, the
number of alerts, and even the name of the widget itself. For example, you can have multiple alert
widgets on the dashboard with different names all displaying different types of alerts.
Once an alert appears in the Alert Message Console it remains until acknowledged. Once you confirm
the event did not impact anything, you acknowledge it, and it is removed from your list it no longer
appears as something that requires further attention.
148
DO NOT REPRINT
FORTINET
Another method of monitoring logs is through an SNMP manager. In order to use this method, you
require the Management Information Base (MIB) file. A MIB is a text file that describes a list of SNMP
data objects that are used by the SNMP manager. These MIBs provide information the SNMP
manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate device
SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries
to the device in order to discover operational status. You can obtain CPU, memory levels, the cause
for the last spam detection, and more. A FortiGate device can support SNMP v1, v2 and v3.
You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through
the System > Config > SNMP menu.
149
DO NOT REPRINT
FORTINET
Setting up the necessary SNMP options is fairly straight forward from the GUI. Simply enable and
define the service as you would any other SNMP monitored device and then enable your protocol
options and methods of monitoring. What can be monitored with the different options is exactly the
same. SNMP v3 offers some additional security over the previous two versions of the protocol, like
traffic encryption and authentication.
150
DO NOT REPRINT
FORTINET
In the GUI, under Log & Report > Log Config > Log Settings, you can enable different locations for log
storage. You can also configure the different kind of traffic you want to appear in the Local traffic log.
Finally, you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to
perform DNS lookups for all the IPs. If your DNS is not working or running slowly, this can impact your
ability to look through the logs as the requests will timeout.
151
DO NOT REPRINT
FORTINET
Using the CLI to configure log settings provides you with more flexibility and options than the GUI.
From the CLI, you can configure up to three separate FortiAnalyzers and Syslog servers, options not
available in the GUI. There is also the ability to set up logging to Webtrends, a 3rd party service. The
information you require for configuring the log settings is dependent on the logging option you
configure: disk, FortiAnalyzer, FortiGuard, memory, Syslog, or Webtrends.
152
DO NOT REPRINT
FORTINET
Firewall policies also have logging options you can configure. The policy setting determines if and
when a log message is generated for traffic passing through a particular firewall policy. The settings
under Log Settings in the GUI and the config log command in the CLI determine where the FortiGate
stores the log messages it creates.
153
DO NOT REPRINT
FORTINET
Its important to remember that creating logs is not freeit does weigh on your system. The more
logs that get generated, the heavier the toll on your CPU and memory resources. Storing logs for a
period of time also requires disk space, as does accessing them. So before configuring logging, make
sure its worth the extra resources and that your system can handle the influx.
Also important to note is logging behavior with UTM profiles. UTM profiles create log events when
traffic is detected. Depending on the amount of traffic you have and logging settings that are enabled,
your traffic logs can easily become a problem that will ultimately impact the performance of your
firewall.
There is an option in the CLI that removes some of the information stored in the traffic log: set brieftraffic-format enabled. By executing this command, you can free up resources on the firewall.
154
DO NOT REPRINT
FORTINET
In configuring the Event log settings, remember that Event logs are not caused by traffic passing
through firewall policies. For example, VPNs going up and down or routing protocol activity are not
caused by traffic passing through a firewall policy. One exception might be the user log. This does not
record information about traffic through firewall policies directly, but it does record user logon/logoff
events on traffic that passes through policies.
Event logs provide all of the system information generated by the FortiGate device, such as
administrator logins, configuration changes made by administrators, user activity, and daily operations
of the device. So what you enable depends on what features you are implementing and what
information you need to get out of the logs. You can enable what events you want to log through the
Log & Report > Log Config > Log Settings menu.
155
DO NOT REPRINT
FORTINET
There is also a daily log monitor section. This displays the number of logs generated over time as well
as the log type. This allows you to see where your FortiGate device is using most of its resources and
if any trends are occurring. You can drill down through these logs and obtain further information by
clicking any of the days.
156
DO NOT REPRINT
FORTINET
Each function of the FortiGate device has an equivalent Monitor menu item in the GUI. This allows
you to take a view, at any given moment, how the feature is performing. The Security functions have a
monitor option like the rest, but you need to enable it from the CLI before it appears. With a lot of
security activity this could impact your CPU, so its disabled by default.
157
DO NOT REPRINT
FORTINET
One example of a GUI monitor is the Security Profiles monitor, found in the GUI under Security
Profiles > Monitor. It has sub-sections for each security feature to highlight recent activity, such as AV
Monitor, Web Monitor, and Application Monitor to name a few. This gives you a snapshot of what is
happening with that particular option. Almost every menu has this option.
158
DO NOT REPRINT
FORTINET
Another means of monitoring is through the widgets on the status page. Many can be customized to
show the same type of information in multiple ways. If you click the pencil icon in the upper right
corner of the widget, you can configure any of the available settings for that widget. You can add some
widgets to the same dashboard multiple times, with each instance displaying different information.
159
DO NOT REPRINT
FORTINET
By default, there are a number of different dashboards available. Each one has a different name with a
different collection of widgets to provide different types of information. Each user has their own
dashboard setup and layout, so if one user deletes a dashboard and rearranges the widgets on the
Status page, it will not impact any of the other users. You can alter a users permissions to not allow
them to make changes to their dashboard and use this to restrict their access.
160
DO NOT REPRINT
FORTINET
One other area you may want to monitor, purely for diagnostics, is the crash logs, available through
the CLI. The FortiGate is like a computer, with different processes that handle different things, like
DHCP or web filtering for example. Any time a process is closed for any reason, the crash log records
this as a crash. If there is an abnormal termination of a process, you can look at the crash logs and
find out the conditions that caused it. A normal and fairly common thing to see in the crash log are
entries for Scanunitd, which is the process responsible for virus scanning. Any time the definitions
package is updated, that process needs to close down in order to apply the new package. This is a
normal shutdown and appears with a status of zero, which indicates a normal shut down with no
abnormalities.
161
DO NOT REPRINT
FORTINET
In this lesson, we covered log severity levels; storage locations; log types and subtypes; log structure
and behavior; log settings; viewing logs messages; and monitoring, reading, and interpreting log
messages.
162
DO NOT REPRINT
FORTINET
Firewall Policies
In this lesson, we will show you how to pass traffic through FortiGate, and explain how that works. At its
core, FortiGate is a firewall, so almost everything that it does to your traffic is linked into your firewall rules.
163
DO NOT REPRINT
FORTINET
Firewall Policies
After this lesson, you should be able to properly identify the different components used in a firewall policy.
Youll be able to configure firewall policies and arrange them to correctly match traffic.
164
DO NOT REPRINT
FORTINET
Firewall Policies
Youll also be able to apply UTM and other features through the firewall policy, test your policies, and
monitor traffic passing through them.
165
DO NOT REPRINT
FORTINET
Firewall Policies
166
DO NOT REPRINT
FORTINET
Firewall Policies
When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which
you can define using objects:
Ingress and egress interfaces
Source and destination, by IP address, device ID, or user
Network service(s) (that is, IP protocol and port number)
Schedule
Once FortiGate finds a matching policy, it applies its settings for packet processing. Is antivirus scanning
applied? Will source NAT be applied?
For example, if you want to block incoming FTP to all but a few FTP servers, you would define the
addresses of your FTP servers, and select those as the destination, and select FTP as the service. You
probably wouldnt specify a source (often any location on the Internet is allowed) nor schedule (usually
FTP servers are always available, day or night). Finally, you would set the Action setting to Accept.
This might be enough, but often, youll want more thorough security. Here, the policy also authenticates
the user, scans for viruses, limits the bandwidth consumption, and logs blocked connection attempts.
167
DO NOT REPRINT
FORTINET
Firewall Policies
Firewall policies appear in an organized list. Its either organized into a section view, or global view.
Usually, it will appear in section view. Each section contains policies for that ingress-egress pair.
Alternatively, you can choose to view your policies as a single comprehensive list, by selecting Global
View at the top of the page.
Policy sequence numbers define the order in which rules are processed. Policy IDs are identifiers. By
default sequence numbers are displayed on the GUI. CLI commands, however, use policy ID: edit <ID>.
This may confuse the administrator in to modifying the wrong policy. To avoid such errors add the policy ID
to the GUI using the column settings.
168
DO NOT REPRINT
FORTINET
Firewall Policies
169
DO NOT REPRINT
FORTINET
Firewall Policies
Remember that we mentioned that only the first matching policy applies?
Moving your policies into the correct position is important. It affects which traffic is blocked or allowed.
In the applicable interface pairs section, FortiGate will look for a matching policy, beginning at the top. So
usually, you should put more specific policies at the top. Otherwise, more general policies will match the
traffic first, and your more granular policies will never be applied.
Here, were moving a policy that only matches Windows SMB traffic above the more general accept
everything from everywhere policy. Otherwise, FortiGate would always apply the first matching policy
the accept everything policy and never reach the block SMB policy.
How does FortiGate determine if a packet matches a policy? Lets look at that next.
170
DO NOT REPRINT
FORTINET
Firewall Policies
Each policy matches traffic and applies security by referring to objects such as addresses and profiles that
youve defined.
What about other firewall policy types? Do IPv6 policies exist? Yes. And they use slightly different objects
that are relevant to their type. In this lesson, were discussing IPv4 firewall policies and SSL/SSH
inspection. They are the most common use case.
171
DO NOT REPRINT
FORTINET
Firewall Policies
To begin describing how FortiGate finds a policy for each packet, lets start with the interface pairs. We
showed them in section view.
Packets arrive on an ingress interface; routing determines the egress. Both interfaces must match the
policys interface criteria in order for it to be a successful match. In each policy, you must select both a
source and destination interface, even it is any.
So if a packet arrives on port4, but you only have policies for between port1 WAN ingress and port2 DMZ,
for example, the packet would not match your policies and therefore be dropped due to the implicit deny
policy at the end of the list, even if the packet did match the egress port of any.
Interfaces may be grouped into logical zones. For example, you could group port7 to port10 as a LAN
zone. This generally simplifies policy configuration, except that an interface in a zone cannot be referenced
individually. So if you must subdivide a zone, dont. Instead, select multiple source and destination
interfaces in the firewall policy.
172
DO NOT REPRINT
FORTINET
Firewall Policies
The next match criteria that FortiGate will consider is the packets source.
In each firewall policy, you therefore must select a source address object. Optionally, you can refine your
definition of the source by also selecting a user, group and/or a specific device. If you organization allows
BYOD (that is, Bring Your Own Device), then a combination of all three provides a much more granular
match.
In earlier releases of FortiOS 5, sub-policies were used for authentication (also called identity) and device
identification. Also, it was either-or: you could not use both types in the same rule. In 5.2, you can now
use both user and device definitions together, in the same firewall policy.
173
DO NOT REPRINT
FORTINET
Firewall Policies
Using Source Device Type causes the FortiGate to enable device identification on the source interface(s)
of that policy.
174
DO NOT REPRINT
FORTINET
Firewall Policies
175
DO NOT REPRINT
FORTINET
Firewall Policies
Device Definitions shows the list of detected devices. You can also define static entries.
Detected devices are saved to the FortiGates flash. Therefore on restart, the FortiGate knows devices
already identified, and does not have to re-categorize each device.
The user displayed in the device information is just a tag, it cannot be used as a means of identity for an
authentication policy.
176
DO NOT REPRINT
FORTINET
Firewall Policies
The CLI command diag user device list shows a more detailed listing than User & Devices > Device >
Device Definitions, including the detection method.
177
DO NOT REPRINT
FORTINET
Firewall Policies
FortiClient devices have a unique id which can be used as an index for the device. This is instead of the
MAC address, which may be problematic when a device has multiple MAC addresses (such as servers or
virtual machines), or where there is no Layer 2 visibility of that device.
178
DO NOT REPRINT
FORTINET
Firewall Policies
FortiGate can control FortiClient settings via the profile and registration.
179
DO NOT REPRINT
FORTINET
Firewall Policies
License Information on the FortiGate GUI dashboard shows the registered devices. Windows and Mac
FortiClient installers are also available from this dashboard widget.
180
DO NOT REPRINT
FORTINET
Firewall Policies
Once a FortiClient registers itself with a FortiGate, youll be able to see its UID on the endpoint control
device list.
181
DO NOT REPRINT
FORTINET
Firewall Policies
You may configure the default FortiClient profile or add additional profiles. New profiles applied to devices
or users override the default.
182
DO NOT REPRINT
FORTINET
Firewall Policies
Once youve configured the settings, FortiGate will send them back to FortiClient.
183
DO NOT REPRINT
FORTINET
Firewall Policies
184
DO NOT REPRINT
FORTINET
Firewall Policies
To reduce the total number of firewall policies in RAM, and simplify administration, you can group service
and address objects, then reference that group in the firewall policy, instead of selecting multiple objects
each time or making multiple policies.
You can also group virtual IPs.
185
DO NOT REPRINT
FORTINET
Firewall Policies
Here, all three source selectors identify the user group, device type, and specific subnet. This would not
have been possible in previous firmware versions.
Remember, user and device are optional objects. They are used here so that the policy is more specific. If
you wanted the policy to match more traffic, you could leave them undefined.
186
DO NOT REPRINT
FORTINET
Firewall Policies
In earlier releases of FortiOS 5, if traffic matched an identity sub-policy, by default, FortiGate simply
blocked traffic that failed authentication. It would not fall through to try the next authentication rule unless
you had explicitly enabled the option fall-through-unauthenticated.
But in this release, FortiGate uses the fall-through behavior by default.
187
DO NOT REPRINT
FORTINET
Firewall Policies
Like the packets source, FortiGate also checks the destination address for a match.
Address objects may be a host name, IP subnet or range. If you enter an FQDN as the address object,
make sure that youve configured your FortiGate with DNS settings. FortiGate uses DNS to resolve those
host names to IP addresses, which are what actually appear in the IP header.
Geographic addresses, which are groups or ranges of addresses allocated to a country, may be selected
instead. These objects are updated via FortiGuard.
188
DO NOT REPRINT
FORTINET
Firewall Policies
Schedules add a time element to the policy. For example, a policy allowing backup software may activate
at night, or a remote address may be allowed for testing purposes and a schedule provides a test window.
189
DO NOT REPRINT
FORTINET
Firewall Policies
Another criterion that FortiGate uses to match policies is the packets service.
At the IP layer, protocol numbers (for TCP, UDP, SCTP, etc.) and source and destination ports together
define each network service. Generally, only a destination port (that is, the servers listening port) is
defined. Some legacy applications may use a specific source port, but in most modern applications, the
source port is randomly determined at transmission time, and therefore is not a reliable way to define the
service.
For example, the predefined service object named HTTP is TCP destination port 80; HTTPS is TCP
destination port 443. However, the source ports are ephemeral, and therefore not defined.
190
DO NOT REPRINT
FORTINET
Firewall Policies
Weve just shown several component objects that can be re-used as you make policies. What if you want
to delete an object?
If its being used, you cant. First, you must reconfigure the objects that are currently using it. The GUI
provides a simple way to find out where in the FortiGates configuration an object is being referenced. See
the numbers in the Ref. column? They are the number of places where that object is being used. The
number is actually a link, so if you click it, you can see which objects use it.
191
DO NOT REPRINT
FORTINET
Firewall Policies
Weve just shown how policies are matched. Lets look a little beyond that now, to slightly before policies,
and to the scans they can use, as well as packet egress.
What happens when a packet first arrives on a FortiGate network interface?
Step 1 is packet ingress.
If a Denial of Service sensor is selected in the policy, it takes effect. Because its applied so early, DoS
packets dont receive other scans, and therefore dont consume unnecessary CPU or RAM.
At the IP layer, the packets CRC is checked for a match with the CRC in the header to make sure that
the packet wasnt corrupted in transmission.
IPSec session-related packets are sent to either the kernel or hardware for payload decryption.
Destination NAT is applied before routing.
If this is a new session, or routing information has changed, FortiGate will make a routing lookup.
192
DO NOT REPRINT
FORTINET
Firewall Policies
193
DO NOT REPRINT
FORTINET
Firewall Policies
Step 3 is content inspection. FortiGate applies the security profiles that you selected in the policy here.
There are two mains types of content inspection:
Flow-based
Proxy-based
The order of inspection is important. The next step applies only if traffic is not blocked by the previous step.
194
DO NOT REPRINT
FORTINET
Firewall Policies
195
DO NOT REPRINT
FORTINET
Firewall Policies
If you enable session starts, FortiGate will create a traffic log when the session begins. But remember that
increasing logging decreases performance. So use it only where necessary.
Once a firewall policy closes an IP session, if you have enabled logging in the policy, FortiGate will
generate traffic logs.
During the session, if a security profile detects a violation, FortiGate will record the attack log immediately.
To reduce the amount of log messages generated and improve performance, you can enable a session
table entry of dropped traffic. This option is in the CLI, and is called ses-denied-traffic.
If the GUI option session starts is not displayed, your FortiGate device does not have internal storage. This
option is in the CLI, regardless of internal storage, and is called set logtraffic-start enable.
196
DO NOT REPRINT
FORTINET
Firewall Policies
Once the first packet assuming it is not dropped establishes an IP session, FortiGate enters it in its
session table. If subsequent packets are received before the session times out, hashing function lookups
up the applicable policy for scans or NAT that it should apply to incoming packets.
You can use the monitor section in order to determine how much traffic is matching each firewall policy.
197
DO NOT REPRINT
FORTINET
Firewall Policies
198
DO NOT REPRINT
FORTINET
Firewall Policies
Since the session table has a finite amount of RAM that it can use on your FortiGate, adjusting the session
time to live (TTL) can improve performance. There are global default timers, session state timers, and
timers configurable in firewall objects.
199
DO NOT REPRINT
FORTINET
Firewall Policies
In this example, you can see the session TTL, which reflects how long FortiGate can receive no packets
until it will remove the session from its table.
Proto_state for TCP is taken from its state machine, which well talk about next.
Traffic shaping manages your bandwidth. Traffic counters are the overall counters for the session, and
determine how much data was sent and received.
NAT actions are also tracked.
200
DO NOT REPRINT
FORTINET
Firewall Policies
In the previous slide, remember that the session table contained a number that indicated the connections
current TCP state. These are the states of the TCP state machine. They are single digit values, but
proto_state is always shown as two digits. This is because when proxy based inspection is used, which is
discussed later, two connections are establish with the proxy: one to the client, and one to the server. If
there are too many connections in the SYN state for long periods of time, this indicates a SYN flood, which
you can mitigate with DoS policies.
UDP is a stateless protocol. So it doesnt technically have states like TCP. However, the session table
does use the state column to track unidirectional UDP as state 0, and bidirectional USP as state 1.
201
DO NOT REPRINT
FORTINET
Firewall Policies
Before looking at the session table, first build a filter. To look at our test connection you can filter on dst
10.200.1.254 and dport 80.
202
DO NOT REPRINT
FORTINET
Firewall Policies
Here we see the corresponding session table entry. Here you can see the routing and NAT actions that
apply to the traffic.
203
DO NOT REPRINT
FORTINET
Firewall Policies
In addition to security scans, firewall policies also determine what network address (NAT) or port address
translation (PAT) to apply to each packet.
NAT and PAT, also known as NAPT, translate internal, typically private, IP addresses, to external, typically
public or Internet, IP addresses.
In FortiOS, NAT and traffic forwarding are configured in the same firewall policy. However, diagnostics
clearly show NAT and forwarding as separate actions. The NAT option in a firewall policy, and IP Pools,
are source NAT settings and objects. Virtual IPs are destination NAT objects.
204
DO NOT REPRINT
FORTINET
Firewall Policies
The default source NAT option uses the egress interface address. This is a many-to-one NAT. In other
words, port address translation is used and connections are tracked using the original source address and
source port combinations, and allocated source port. This is the same behavior as the overload IP Pool
type, discussed later.
Optionally, you may select fixed port in which case the source port translation is disabled. With fixed port,
if two or more connections require the same source port for a single IP address, only one connection can
establish.
205
DO NOT REPRINT
FORTINET
Firewall Policies
If you use an IP pool, the source address is translated to an address from that pool rather than the egress
interface address. The larger the number of addresses in the pool, the greater the number of connections
can be supported.
The default IP pool type is overload, here there is a many-to-one/few relationship and port translation is
used.
206
DO NOT REPRINT
FORTINET
Firewall Policies
One-to-one differs in the sense that there is a single mapping of an internal address to external address.
Port address translation is not required in this case. See the circled example showing the same source
ports on ingress and egress?
Mappings are not fixed. They are allocated on a first-come first-serve basis. If there are no more
addresses available, a connection will be refused as shown in the debug flow.
207
DO NOT REPRINT
FORTINET
Firewall Policies
208
DO NOT REPRINT
FORTINET
Firewall Policies
These two CLI outputs illustrate the behavior difference between the port block allocation type, and the
default overload type.
Using hping, a rogue client generates many SYN packets per second. In the first example, the port block
allocation type limits the client to 64 connections for that IP pool. Other users will not be impacted by the
rogue client.
In the second example, the overload type imposes no limits, and the rogue client uses many more
connections in the session table. Other users will now be impacted.
209
DO NOT REPRINT
FORTINET
Firewall Policies
Virtual IPs (VIPs) are destination NAT objects. For sessions matching a VIP, the destination address is
translated: usually a public Internet address is translated to a servers private network address. Select
VIPs in the firewall policys destination address field.
The default VIP type is static NAT. This is a one-to-one mapping which applies for incoming and outgoing
connections. That is, an outgoing policy with NAT enabled would use the VIP address instead of the
egress interface address. This behavior, however, can be overridden by use of an IP pool.
The static NAT VIP can be restricted to forward only certain ports. For example, connections to the
external IP on port 8080 map to the internal IP on port 80.
From the CLI, you can select the NAT type to load-balance and server-load-balance. Plain load balancing
distributes connections from an external IP address to multiple internal addresses. The later builds on that
mechanism, using a virtual server and real servers, and provides session persistence and server
availability check mechanisms.
VIPs should be routable to the external facing (ingress) interface. FortiOS responds to ARP requests for
VIP, and IP Pool, objects. ARP responses are configurable.
210
DO NOT REPRINT
FORTINET
Firewall Policies
In this example, connections to the VIP 200.200.200.222 are NATed to the internal host 10.10.10.10.
Because this is static NAT, all NATed outgoing connections from 10.10.10.10 will use the VIP address in
the packets destination field, not the egress interfaces address.
211
DO NOT REPRINT
FORTINET
Firewall Policies
For feature completeness, you can use a central NAT table. This is disabled by default. To enable it from
the GUI, go to System > Config > Features. In the CLI, use:
conf sys global
set gui-central-nat-table enable
end
In this case, the source NAT action is defined in a central table. If no central NAT rule exists, then the
default action of destination interface address is used.
Central NAT rules also allow control over source port usage.
212
DO NOT REPRINT
FORTINET
Firewall Policies
Some application layer protocols are not fully independent of the lower layers such as the network or
transport layer. If the session helper detects a such a pattern, it may make changes to the application
headers or create expected secondary connections.
A good example is where an application has both a control and a data/media channel, such as with FTP.
Firewalls will typically allow the control channel and rely on the session helpers to handle the dynamic
data/media transmission connections.
When more advanced application tracking and control is required, an Application Layer Gateway (ALG)
can be used. The VoIP profile is an example of an ALG.
213
DO NOT REPRINT
FORTINET
Firewall Policies
In this example, the media recipient address in the SIP SDP payload is modified to reflected the NATed IP
address.
214
DO NOT REPRINT
FORTINET
Firewall Policies
Traffic shaping (also called quality of service (QoS)) can be applied in firewall policy and used to manage
the bandwidth used by each service or application. FortiGate can count the packet rates of ingress and
egress to police traffic. Note that these apply equally to TCP and UDP, and UDP protocols may not
recover as gracefully from packet loss.
ToS/DSCP flags, if used, can map packets to a specific transmission queue. For additional information,
see the Traffic Shaping FortiOS Handbook.
215
DO NOT REPRINT
FORTINET
Firewall Policies
216
DO NOT REPRINT
FORTINET
Firewall Policies
FortiGates equipped with Network Processors (NP) offload packet handling from the CPU. For each new
IP session, the first packet always goes to the CPU. If the session can be offloaded to an available NP,
the kernel sends session information to the NP. All subsequent packets in that session are forwarded by
the NP and not the CPU, so their transmission is accelerated. When the last packet is sent or received,
such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU, which handles tear down.
Non-eligible sessions remain on the CPU. Typically, this includes policies that have a security profile
enabled. IP fragments are also non-eligible.
diagnose CLI commands, such as diag packet sniff and diag debug flow, run on the CPU. They will
not show packets handled by an NP. To ensure accurate output for these commands, you can temporarily
disable NPU offload in each firewall policy so that the packets are handled by the CPU and therefore
received by the troubleshooting command.
217
DO NOT REPRINT
FORTINET
Firewall Policies
As a UTM, one of the most important features that a firewall policy can apply is security profiles such as
IPS and antivirus. These profiles inspect each packet in traffic flows where the session has already been
conditionally accepted by the firewall policy.
When inspecting traffic, FortiGate can use one of two methods: flow- or proxy-based. Different security
features are supported by each type.
218
DO NOT REPRINT
FORTINET
Firewall Policies
In proxy-based scans, were typically meaning a transparent proxy. Its called transparent because at the
IP layer, FortiGate is not the destination address, yet FortiGate intercepts the traffic anyway.
In TCP connections, FortiGates proxy generates the SYN ACK to the client and completes the three-way
handshake with the client before creating a second, new connection to the server. If the payload is less
than the oversize limit, the proxy buffers transmitted files/email for inspection before continuing
transmission. The proxy analyzes and may change headers such as HTTP Host: and URI for web
filtering. If a security profile decides to block the connection, the proxy can send a replacement message to
the client.
This adds latency to the overall transmission speed.
219
DO NOT REPRINT
FORTINET
Firewall Policies
Proxy options affect the content inspection proxy. Settings include port numbers, oversize file action and
threshold, and client comforting (where the proxy transmits packets slowly while it continues to buffer and
scan).
220
DO NOT REPRINT
FORTINET
Firewall Policies
221
DO NOT REPRINT
FORTINET
Firewall Policies
A SSL/SSH inspection profile contains settings for decrypting these protocols, which is required in order to
scan their content. Otherwise, viruses could be transmitted via HTTPS or SMTPS, for example, without
detection.
For SSH, inspection allows the FortiGate to intercept connections and control protocol commands. For
example, using an SSH tunnel, a client could port forward any other protocol across an SSH connection.
Using an SSH profile, FortiGate can block the Port-Forward command.
222
DO NOT REPRINT
FORTINET
Firewall Policies
When troubleshooting firewall policies, you need to understand how the traffic should flow.
Typically there are many firewall policies. What is the ingress/egress interface? What is actually happening
to the traffic/application? Is it slow? Is it failing to connect? These can help to define which
troubleshooting steps you need to take.
223
DO NOT REPRINT
FORTINET
Firewall Policies
One of the most fundamental network debugging tools is packet capture, or sniffing.
The syntax of the CLI command is diag sniff packet interface filter level. The interface is the name of the
physical or logical interface; if your account has the access profile super_admin, you can specify the any
interface. The filters are similar to tcpdump on Linux. For level, you can choose from 1 to 6 depending
on your requirements.
The only output options are the payloads in ASCII and Hexadecimal format. To completely decode the
packet and view its content, save the output to a plain text file, convert it to .pcap format, then open it with
Wireshark.
224
DO NOT REPRINT
FORTINET
Firewall Policies
Here are some general examples. Much more can be learnt by reading the man page for tcpdump.
225
DO NOT REPRINT
FORTINET
Firewall Policies
If your model of FortiGate has internal storage, you can capture packets from the GUI. Looking at the
content of the packets can help you to see what is abnormal. The options in the GUI are the same as
those from the CLI. To run a trace, specify a source interface and a filter.
What is the main advantage over the CLI? You can download the output in a file format which can be read
by Wireshark, without having to use a conversion script.
Any packet capture filter should be very specific in order to avoid writing large amounts of data to disk
which will affect performance.
226
DO NOT REPRINT
FORTINET
Firewall Policies
Before, we mentioned that a packet capture does not show why FortiGate may have dropped a packet.
This is the purpose of the packet flow.
This is an example of diag debug flow. The first lines enable it, and enable it to print to console. Next,
the filters define which IP address and port numbers to trace the flow fow; addr implies both source and
destination, and port 80 typically captures HTTP.
227
DO NOT REPRINT
FORTINET
Firewall Policies
Here is output for the previous example, for the three way handshake.
Virtual domain root receives a packet: the protocol is TCP; destination port 80; source IP 10.0.1.10;
destination IP 10.200.1.1. The packet is received on interface port3.
FortiOS identifies this a new session because it does not match any entries in its current session table.
FortiOS performs a routing lookup, as this the first packet of the connection; gateway 10.200.1.254 (in
this case the destination) is found on interface port1.
For the firewall policy match, the interfaces are port3 to port1. The hashing function is used for the
policy lookup.
The connection matches policy ID 1 with source NAT enabled. The source address and port for all
packets in this connection will NAT to 10.200.1.1:39738.
The packet is sent to IPS module. In this case, the IPS security profile is enabled on the firewall policy.
Next, the reply (SYN/ACK) is received. This is identified as reply traffic for an existing connection. For
the first reply packet, a routing lookup occurs.
Next, the client send the ACK. This is identified as belonging to an existing connection.
228
DO NOT REPRINT
FORTINET
Firewall Policies
The retransmission of SYN packets is a good indicator of the firewall blocking a connection. However, we
dont know for sure. We could look at the traffic logs, if logging was enabled for the deny policy. What else
could we use, though? The packet flow.
229
DO NOT REPRINT
FORTINET
Firewall Policies
Combining debug flow and packet sniffer, we now see which firewall action is blocking this traffic.
230
DO NOT REPRINT
FORTINET
Firewall Policies
231
DO NOT REPRINT
FORTINET
Firewall Authentication
In this lesson, we will show you how to use authentication on the firewall policies of a FortiGate.
Normal firewall policies involve separating devices based on the IP address or subnet involved.
Adding authentication to firewall policies, however, provides a mechanism to make decisions on not
just where the device is, but who is using the device.
232
DO NOT REPRINT
FORTINET
Firewall Authentication
After completing this lesson, you should have a solid understanding of the mechanics of authentication
on a FortiGate as well as some practical skills configuring firewall authentication.
233
DO NOT REPRINT
FORTINET
Firewall Authentication
Traditional firewalling grants network access by authenticating the source IP address only. This is
inadequate, as the firewall cannot determine who is using the device to which it is granting access.
This can pose a security risk.
Authentication allows action based on the user, not just the IP address. In this way, inspection rules
follow individuals across multiple devices.
234
DO NOT REPRINT
FORTINET
Firewall Authentication
Not all available methods of authentication can be used for firewall authentication (for example,
certificate-based authentication cannot be used). You can, however, use local password
authentication, remote password authentication, and two-factor authentication. Two-factor
authentication is slightly different from the others, as it is enabled on top of an existing methodit
cannot be enabled without first configuring one of the other methods.
In this lesson, we will discuss all three available methods.
235
DO NOT REPRINT
FORTINET
Firewall Authentication
The first and simplest method of authentication is Local Password Authentication. User account
information (user name and password) is stored locally on the FortiGate device, so there is no lookup
to an external server for user validation.
Local Password Authentication is the simplest method of authentication to configure, since you only
need access to the FortiGate. Other methods of authentication are more complex, as they involve
configuring the exchange of information between the FortiGate and a remote server as well as
configuring the various users and user groups on the server itself. Troubleshooting in those situations
becomes more complicated, as you need to examine both the FortiGate and external server. With
Local Password Authentication, you need only examine the FortiGate.
236
DO NOT REPRINT
FORTINET
Firewall Authentication
The second method of authentication is remote server authentication (or server-based password
authentication). This includes any form of authentication where the final decision on user credentials is
made by an external servernot the FortiGate. This method is desirable when multiple FortiGate
devices need to authenticate the same users or user groups.
With remote server authentication, user information is sent from the FortiGate to a remote server. The
remote server then evaluates the information it receives and sends a response. The server response
is examined by FortiGate and consults its configuration to deal with the traffic. However, it is the
server not the FortiGate that has final authority over evaluating the user credentials.
With Remote Server Authentication, the FortiGate does not store all (or, in the case of some
configurations, any) of the user information locally.
237
DO NOT REPRINT
FORTINET
Firewall Authentication
Multiple protocols are supported for remote user authentication, including POP3, RADIUS (includes
server authentication and the single sign on method, RSSO), LDAP, and TACACS+.
Single sign on (SSO) methods, such as FSSO, NTML, and RSSO, are also supported for remote user
authentication.
238
DO NOT REPRINT
FORTINET
Firewall Authentication
With a FortiGate, you can implement Single Sign On (SSO) using FSSO and RSSO.
SSO allows a single login event to be used for all authentication and access situations. Without SSO,
if a user logs in to a Wi-Fi network, they will need to log in through a firewall policy separately when
they try to pass traffic. SSO links multiple authentication events to a single event.
239
DO NOT REPRINT
FORTINET
Firewall Authentication
One remote server authentication protocol worth mentioning is POP3, as the login credentials the
remote server accepts is different from most other authentication protocols. Most other authentication
protocols user the user name. POP3 servers, however, authenticate users based on email address.
Some POP3 servers require the full email with domain (user@example.com), others require the suffix
only, while still others accept both formats. This is determined by the configuration of the server itself
and is not a setting on the FortiGate. You can only configure POP3 authentication though the CLI.
You can also use LDAP to validate with email, rather than the user name.
240
DO NOT REPRINT
FORTINET
Firewall Authentication
The third, and final, method of authentication for firewalls which is really just an extension of an
existing authentication method is two-factor authentication.
Traditional user authentication requires your user name plus something you know, such as a
password. The weakness with this traditional method of authentication is that if someone obtains your
user name, they only need your password to compromise your account. Furthermore, since people
tend to use the same password across multiple accounts (some sites with more security vulnerabilities
than others), accounts are vulnerable to attack, regardless of password strength.
Two-factor authentication, on the other hand, requires something you know, such as a password, and
something you have, such as a token. This increases the complexity for an attacker to compromise an
account, as it puts less importance on often-vulnerable passwords. With this authentication method,
security is split between two different options: both a password and a key of some kind.
241
DO NOT REPRINT
FORTINET
Firewall Authentication
One-time passwords are one such method you can use with Two-Factor Authentication as something
you have. FortiToken and FortiToken Mobile (hardware and software respectively) both generate
one-time passwords. The passwords for both FortiToken and FortiToken Mobile generate every 60
seconds.
You can deliver OTP through alternative methods, other than providing the end user with a token or
mobile app. For example, you can send an OTP through email or through an SMS phone message.
It is very important that FortiTokens are synchronized with the FortiGate. Otherwise FortiGate cannot
predict the correct string to use.
242
DO NOT REPRINT
FORTINET
Firewall Authentication
Tokens use a specific algorithm to generate a one-time password. The algorithm consists of:
a seed, which is a randomly-generated number that does not change in time, and
the time, which is obtained from an internal, accurate, clock
Both seed and time go through an algorithm that generates a one-time password on the token. The
OTP has a short life span, usually measured in seconds (60 seconds for a FortiToken, possibly
more/less for other RSA key generators). Once the life span ends, for example after 60 seconds, a
new one generates.
With two-factor authentication using a token, the user must first log in with a static password followed
by the OTP (or code) generated by the token. A validation server (a FortiGate) receives the users
credentials and validates the static password first. The validation server then proceeds to validate the
OTP. It does so by re-generating the same OTP using the seed and system time (which is
synchronized with the one on the token) and comparing it with the one received from the user. If the
static password is valid, and the one-time password matches, the user is successfully authenticated.
Again, both the token and the validation server must use the same seed and have synchronized
system clocks. As such, it is crucial that you configure your FortiGates date/time properly or link it to
an NTP server.
243
DO NOT REPRINT
FORTINET
Firewall Authentication
To use a FortiToken, you must first register it on a FortiGate device. Whether its a hardware or
software token, a serial number is used to provide the FortiGate with details on the initial seed value.
If you are using FortiToken Mobile, each FortiGate (and FortiGate VM) allows for two free activations.
More than this requires the purchase of activations codes for additional mobile tokens from Fortinet.
You cannot register FortiTokens on more than one FortiGate. A deployment like that requires the use
of a central FortiAuthenticator. In that case, the FortiTokens are registered on the FortiAuthenticator
and not the FortiGate. FortiGate uses FortiAuthenticator as its validation server, which allows the
same FortiToken to be used for access on multiple FortiGate devices.
244
DO NOT REPRINT
FORTINET
Firewall Authentication
Not all types of authentication involve prompting the user to enter their login credentials. While active
authentication (used with LDAP, RADIUS, Local Password Authentication, and TACACS+) prompts
the user to manually enter credentials, passive authentication (used with FSSO, RSSO, and NTLM)
determines user information without ever asking the user to log in. Passive authentication, therefore,
occurs transparently for the user.
245
DO NOT REPRINT
FORTINET
Firewall Authentication
246
DO NOT REPRINT
FORTINET
Firewall Authentication
You can enable both active and passive authentication. If both active and passive authentication are
enabled and a users credentials can be determined through passive means, then the user will never
receive a login prompt, regardless of the order of any firewall policies. This is because there is no
need to prompt the user for active authentication credentials when passive authentication can
determine who they are. When active and passive authentication methods are combined, active
authentication is intended to be used as a backup only for when passive authentication fails.
No one method of authentication is considered more important than another. The first method that can
determine a user name for any traffic is the deciding factor. Ultimately that determines how the traffic
is handled.
247
DO NOT REPRINT
FORTINET
Firewall Authentication
A firewall policy defines and matches traffic going from the source to the destination.
An IP address is required as part of the policy configuration for the source and destination. User, user
group, and device information can be enabled as well. If enabled, they become part of the source
definition for that policy. Accordingly, a source is comprised of source address(es)+source
user(s)/group(s)+source device(s).
248
DO NOT REPRINT
FORTINET
Firewall Authentication
No service (with the exception of DNS) is allowed through the firewall policy prior to successful user
authentication. DNS is allowed because it is a base protocol and will most likely be required to initially
see proper authentication protocol traffic. Hostname resolution is almost always a requirement for any
protocol. However, the DNS service must still be defined as allowed within the policy in order for it to
pass.
In the following example, Policy #1 allows users to use external DNS servers on the other side of
port2 in order to resolve host names, prior to successful authentication. Therefore, the DNS traffic is
allowed through even before authentication happens. It is also allowed if authentication is
unsuccessful, as users need to be able to try to authenticate again. Any service that includes DNS
would function the same way, like the default ALL service.
Policy #2, on the other hand, never allows DNS traffic, even after successful authentication. The
HTTP service is TCP port 80 and does not include DNS (UDP port 53).
249
DO NOT REPRINT
FORTINET
Firewall Authentication
In this example, assuming active authentication is used, any initial traffic from the 10.10.1.0/24 subnet
will not match policy #1. Policy 1 looks at the IP as well as the user information, and since the user
has not authenticated there is no match.
Next, a check is made against policy #2. There is a match and traffic is allowed with no need to
authenticate.
When only active authentication is used, if all possible policies that could match the source IP have
authentication enabled, then the user will receive a login prompt (assuming they use an acceptable
login protocol). In other words, if policy #2 also had authentication enabled, the users would receive
login prompts.
If passive authentication is used and it can successfully obtain user details, then traffic form
10.10.1.0/24 with users that belong to the guest-group will apply to policy #1 even though policy #2
does not have authentication enabled.
250
DO NOT REPRINT
FORTINET
Firewall Authentication
If you want all users connecting to the network to authenticate through active authentication, you can
enable the captive portal. With captive portal, network interfaces perform authentication at the
interface levelregardless of the firewall policy that allows it or the port that it ultimately leaves by
(authentication being enabled or disabled on the policy is not a factor). Essentially, a captive portal is a
convenient way to authenticate web users on wired or Wi-Fi networks through an HTML form that
requests the users name and password. You can host a captive portal on a FortiGate device or an
external authentication server.
The captive portal setting must be enabled on the Ingress interface of the traffic. Captive portals are
not compatible with interfaces in DHCP mode.
251
DO NOT REPRINT
FORTINET
Firewall Authentication
Using the previous example, with captive portal enabled on port 1 all traffic from behind port 1 would
receive a login prompt, not just the users in the 10.10.1.0/24 subnet or traffic that may be going
somewhere other then port 2.
Passive authentication never requires a captive portal, since it obtains user details differently. Only
active authentication methods can use the captive portal feature (depending on the configuration).
252
DO NOT REPRINT
FORTINET
Firewall Authentication
A firewall policy can have the captive portal suppressed. When suppressed, traffic that matches the
source and destination are not presented with the captive portal page. The captive-portal-exempt
setting must be enabled in the CLI for each firewall policy and only applies to traffic that matches that
policy. The security-exempt-list CLI setting, however, applies those sources at all times, regardless of
the firewall policy settings.
Depending on the configuration, one option or the other usually results in simplifying your
configuration more. Use the option that best fits the requirements of the situation and results in less
confusion or ongoing maintenance.
You can create and configure security exempt lists only from the CLI. However, you can enable them
through the GUI settings.
253
DO NOT REPRINT
FORTINET
Firewall Authentication
You can enable disclaimers to be used in conjunction with captive portal, if desired. Disclaimers are
not considered authentication or a captive portal, but the two tend to go hand-in-hand. With the
authentication and disclaimer setting, the disclaimer appears before the user authenticates and acts
as a reminder of the rules for the network. Under this setting, users must accept the terms in the
disclaimer in order to proceed with the authentication process.
Neither a security exemption list nor a captive portal exemption on a firewall can bypass a disclaimer.
254
DO NOT REPRINT
FORTINET
Firewall Authentication
Any time FortiGate is required to jump into the traffic stream (with authentication pages or disclaimers
for example), you can modify the particulars of the block page through the GUI.
Editing HTML-related block message requires knowledge of HTML, to ensure proper positioning and
look of the page. The default layout is the Simple View, which hides most of the replacement
messages. Use Extended View to show all editable replacement messages.
255
DO NOT REPRINT
FORTINET
Firewall Authentication
An authentication timeout ensures users do not authenticate and then stay in memory indefinitely. If
users stay in memory forever, it would eventually lead to memory exhaustion.
There are three options for timeout behavior:
IDLE Looks at the packets from the hosts IP. If there are no packets generated by the host device
in the configured timeframe then the user is logged out.
HARD Time is an absolute value. Regardless of the users behavior, the timer starts as soon as
the user authenticates and expires after the configured value.
NEW SESSION Even if traffic is being generated on existing communications channels, the
authentication expires if no new sessions are created through the firewall from the host device,
within the configured timeout.
Choose the type of timeout that best suits the needs of authentication in your environment.
256
DO NOT REPRINT
FORTINET
Firewall Authentication
Weve mentioned users and user groups several times in this lesson. Now, well take a closer look at
how both users and user groups are used by FortiGate for firewall authentication. Before that,
however, well give a short refresher on how you create users and groups on an external server, which
is useful if Remote Password Authentication is used as a method of authentication.
257
DO NOT REPRINT
FORTINET
Firewall Authentication
LDAP is a standard remote authentication protocol currently supported by the FortiGate device. The
behavior of LDAP is defined through multiple RFCs.
LDAP is an application protocol for distributed directory information services. It can also be viewed as
a database that contains user accounts, among other things. The structure of this database is similar
to a tree that contains entries (or objects) in each branch. Each of these objects has a unique
identifier, which is called the distinguished name (or DN). The objects also have attributes, and each
attribute has a name and one or more values. This structure is defined in what is called a directory
schema.
258
DO NOT REPRINT
FORTINET
Firewall Authentication
The hierarchy of an LDAP schema is not required to hold any resemblance to the organization.
However, generally the name conventions used and the group structure match with the name of the
company and corporate hierarchy very closely.
259
DO NOT REPRINT
FORTINET
Firewall Authentication
On the top, we have the root or DC. This is where an LDAP tree always starts, with any schema.
After that the groups are defined using C, OU, and/or O. The exact behavior and options used depend
on the schema and what exactly is being defined. At the end of the tree is the UID, which contains
specific details about a particular user.
The full path to find a user contains all of the information necessary in order to locate a user within the
tree structure. This means you will need the DN (somewhere to start), the group information (C, OU,
O), and the UID.
260
DO NOT REPRINT
FORTINET
Firewall Authentication
What you enter for the LDAP configuration depends heavily on the servers schema and security
settings. Windows Active Directory is very common.
Common Name Identifier is the attribute name to look up in order to find the user name. Some
schemas will call this UID, Active Directory calls it sAMAccountName or sometimes cn.
Distinguished Name identifies the top of the tree to look in. Generally this will be a DC value.
The Bind Type setting will vary, depending on the security settings of the LDAP server. Normally,
this will need to be Regular, with the credentials being for a user, that is authorized perform LDAP
queries.
261
DO NOT REPRINT
FORTINET
Firewall Authentication
To see if a users credentials can successfully authenticate or not, you must use the CLI or enable to
authentication on a firewall policy. The GUI will only test if the initial LDAP connection to the server is
successful or not.
Because the GUI only tests success/failure, either look at the server logs or run a packet sniff to see
both sides of the LDAP communications so you can find out exactly what is happening. Exact output
will vary depending the Hierarchy of the LDAP server that was queried.
diagnose test authserver can be used to test most (not all) methods of authentication.
262
DO NOT REPRINT
FORTINET
Firewall Authentication
RADIUS doesnt have the same kind of behavior as LDAP, as there is no tree structure to consider.
Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent
from the FortiGate to the RADIUS server. Valid responses to this are Access-Accept and AccessReject (yes and no effectively).
If Two-Factor Authentication is enabled on the server, it will come back with an Access-Challenge
message, where it is essentially looking for more information. Any other response from the server is
not considered to be a valid response.
263
DO NOT REPRINT
FORTINET
Firewall Authentication
264
DO NOT REPRINT
FORTINET
Firewall Authentication
Testing RADIUS is much the same as LDAP. The GUI can test the connection to the server, but not a
user login. Make sure that authentication is operational prior to implementing it on any of your firewall
policies.
Like LDAP, it reports success, failure, and group membership details depending on the servers
response. Deeper troubleshooting requires server access.
265
DO NOT REPRINT
FORTINET
Firewall Authentication
Now that weve examined how to create users on the LDAP or RADIUS server, lets look at how to
create the firewall users and groups on the FortiGate. This is the first step to authentication: creating
firewall users and groups.
You can create firewall authentication users through the Users & Devices > User > User Definition
page of the FortiGate GUI. A wizards walks you through the creation process.
You are required to define the type of user (Local or Remote) and the user credentials. For remote
authentication, you must select the server to authenticate as well. There are other optional settings
available, such as adding contact information , enabling Two-Factor Authentication, or adding the user
to a User Group.
266
DO NOT REPRINT
FORTINET
Firewall Authentication
Once youve made user accounts, you can assign firewall policies to them. But rather than assign
firewall policies to act on individual users, you can put users into groups with policies making
decisions based on the group itself. These groups are known as user groups. By assigning individual
users to the appropriate user groups, you can control access to network resources. You can define
both local and remote user groups on a FortiGate device. There are four user group types:
Firewall
Fortinet Single Sign On (FSSO)
Guest, and
RADIUS Single Sign On (RSSO)
The firewall user groups do not need to match any sort of group that may already exist on a server.
The firewall user groups exist solely to make configuration of firewall policies easier.
Note that most authentication types have the option to make decisions based on the individual user,
rather than just user groups.
267
DO NOT REPRINT
FORTINET
Firewall Authentication
As mentioned, one of the four user group types is Guest. Guest groups are user groups that
exclusively contain temporary user accounts (the whole account, not just the password), and are most
commonly used in wireless networks. Guest accounts expire after a predetermined amount of time.
You can automatically create guest users on the fly, or manual create them through an admin user.
You can create special admin users that only have access to create and manage guest user accounts.
268
DO NOT REPRINT
FORTINET
Firewall Authentication
You can configure user groups through the FortiGate GUI under User & Device > User > User Group.
You must specify the user group type, the local users that belong to the group, and the remote
authentication server(s) that contain the users that belong to the user group.
User groups simplify your configuration if you want to treat specific users in the same way. For
example, if you want to provide all Accountants with access to the same network resources. If you
want to treat all users differently, you would need to add all users to firewall policies separately.
269
DO NOT REPRINT
FORTINET
Firewall Authentication
Once youve created firewall users and groups, you can move on to configuring the policies.
IP information is part of the source definition for a policy in combination with any configured user and
groups specified. Just because a user is in a group does not mean they can only be referenced by
using the group.
270
DO NOT REPRINT
FORTINET
Firewall Authentication
After creating firewall policies, you can monitor access of your firewall users. To keep track of who is
authenticated through the firewall policies there is a User Monitor section in the GUI located under
User & Device > Monitor > Firewall.
The User Monitor screen displays who has authenticated through the firewall policies of your
FortiGate device at any given moment. It does not include administrators, because they are not
authenticating through firewall policies that allow traffic they are logging directly into the FortiGate.
This feature also allows you to de-authenticate a user or multiple users simultaneously.
271
DO NOT REPRINT
FORTINET
Firewall Authentication
There are no events logged for successful or failed login attempts through a firewall policy.
Users that log in successfully show up in the monitor. Those that do not are prevented from passing
through the firewall.
Once a user is successfully logged in, all further logs generated from the host automatically begin to
contain their user information. Default reports and charts are set up so that the source adjusts to be
the user or the IP if there is no authentication.
You can find the list of possible log events that can show up in the Log & Report > Event Log > User
section in the Log Message Reference Guide on the doc.fortinet.com website.
272
DO NOT REPRINT
FORTINET
Firewall Authentication
273
DO NOT REPRINT
FORTINET
SSL VPN
In this lesson, we will show you how to use and configure SSL VPN. SSL VPNs are an easy way of
providing access to your private network for remote users.
274
DO NOT REPRINT
FORTINET
SSL VPN
After completing this lesson, you should have these practical skills that you can use to configure an
SSL VPN for your organization.
275
DO NOT REPRINT
FORTINET
SSL VPN
A virtual private network enables users to remotely and securely access private resources as if they
were locally connected.
It is generally used to transmit private information safely between LANs separated by an untrusted
public network such as the Internet, so it is not only implemented for providing access to mobile users,
but also for interconnecting geographically disperse networks across the Internet. The user data
travelling inside a VPN tunnel is encrypted, so it cannot be intercepted by unauthorized users. VPNs
also use security methods to ensure that only authorized users can establish the VPN and access the
private networks resources.
276
DO NOT REPRINT
FORTINET
SSL VPN
The most common type of VPNs are SSL VPN and IPsec VPN.
SSL VPNs are commonly used to secure web transactions. Clients connect to a web portal and log in.
It is essentially meant to connect a PC to a private network. This approach is simple in that users only
need a regular web browser to connect and are not usually required to install any kind of special
software or go through a complex setup. They simply need to access an HTTPS web site and log in.
This makes SSL VPN an ideal solution for users who are either not technically skilled, or who need to
connect from public computers.
IPsec is also used to connect a PC to a private network. However, there are some important
differences. Firstly, SSL VPN access is through a web portal, whereas IPsec is not. Finally, IPsec is a
standard protocol supported by most vendors, so a VPN session can be established not only between
two FortiGate devices, but also between different vendor devices. By comparison, SSL VPN can only
be established between a client PC and an end device.
In this lesson, we are going to focus on SSL VPN.
277
DO NOT REPRINT
FORTINET
SSL VPN
Web-only mode is used to connect using HTTPS to the FortiGate device from any browser. Once
connected, users need credentials in order to pass an authentication check. Once authenticated,
users are presented with a portal that contains possible resources for them to access. Different users
can have different portals with different resources and access permissions.
One of the widgets contains links to all or some of the resources available for the user to access.
Another widget allows users to type the URL or IP address of the server they want to reach. A Webonly SSL VPN user makes use of these two widgets to access the internal network. The main
advantage of Web-only mode is that it is clientless. This means the user is not required to install any
client VPN software to obtain access. However, Web-only mode has two main disadvantages: First,
all interaction with the internal network must be done from the browser exclusively (through the web
portal). External network applications running on the users PC cannot send data across the VPN.
Second, a limited number of protocols are supported, such as HTTP/HTTPS, FTP, RDP, SMB/CIFS,
SSH, Telnet, VNC, Ping.
278
DO NOT REPRINT
FORTINET
SSL VPN
Tunnel mode access begins in much the same way as Web-only mode. Users must connect to the
FortiGate through HTTPS and successfully authenticate. They are then presented with a web page
that has various options, including a widget to activate tunnel mode.
By clicking Connect, a tunnel is established between the PC and the FortiGate device. Inside the
tunnel, IP traffic is encapsulated over HTTPS and sent to the other side. The FortiGate device
receives the traffic and de-encapsulates the IP packets, forwarding them to the private network as if
they originated from the inside. The main advantage of Tunnel mode over Web-only mode is that,
once the VPN is established, any IP network application running on the client can send traffic across
the tunnel. The main disadvantage is that this requires the installation of a VPN software client, which
requires administrative privileges. If the VPN client is not installed when the user accesses the SSL
VPN web portal, the Tunnel Mode widget offers the option to download and install it.
279
DO NOT REPRINT
FORTINET
SSL VPN
Tunnel mode can operate in two different ways: with and without Split Tunneling enabled.
When Split Tunneling is disabled, all IP traffic generated by the clients PC (including Internet traffic) is
routed across the SSL tunnel to the FortiGate. This sets up the FortiGate as the default gateway for
the host. You can use this method in order to apply UTM features to the traffic on those SSL VPN
clients or to monitor or restrict internet access. This adds more latency and bandwidth usage.
When Split Tunneling is enabled, only traffic destined for the private network(s) behind the FortiGate
gets routed across the tunnel.
280
DO NOT REPRINT
FORTINET
SSL VPN
There are two methods to connect to an SSL VPN tunnel. The first method is through a browser. The
limitation is that the browser window or tab with the SSL VPN portal must remain open in order to
keep the tunnel up. The second method is through a standalone SSL VPN client. Using an SSL VPN
client means the browser is not necessary to maintain the tunnel, but it also means you have to install
an SSL VPN client.
When the SSL VPN client is installed, a virtual network adapter called fortissl is added to the users
PC. This virtual adapter dynamically receives an IP address from the FortiGate device each time a
new VPN is established. All packets sent by the client use this virtual IP address as the source
address.
281
DO NOT REPRINT
FORTINET
SSL VPN
Because tunnel mode requires installing a virtual network adapter, which requires administrative level
access to accomplish, it is not always a feasible method to use. For those situations where tunnel
mode isnt practical and web-only mode isnt flexible enough, there is a web-only extension called port
forward mode.
Rather than use a virtual adapter to create a tunnel with an IP separate from the local IP, port forward
uses a Java applet to set up a local proxy that is accessed by connecting to the loopback address.
282
DO NOT REPRINT
FORTINET
SSL VPN
Between web-only and tunnel mode, tunnel mode is the most versatile, as it supports any IP
application. However, it requires admin/root privileges to install a VPN client. You can get a direct
tunnel connection either through a browser or by using the standalone VPN client.
Web-only, on the other hand, is clientless, but does not support all the IP applications like tunnel
mode. You can connect only through a browserand only through one connected to the SSL VPN
portal. Port Forward (an extension of Web-only) supports some additional IP applications, but it
requires users to change the application configuration to send the IP traffic to a Java applet acting as
a local proxy.
The final decision about which mode to use depends on many factors, such as technical knowledge of
the users, type of network applications, and if admin access to the users PCs is possible or not.
283
DO NOT REPRINT
FORTINET
SSL VPN
When users log into to their individual portal, there is an option that allows them to create their own
bookmarks (known as frequently used connections). An administrator must enable the user bookmark
option, and once enabled, users can create and modify their own bookmarks from the portal.
Administrators have the ability to view and delete bookmarks the remote user has added to their SSL
VPN login in the GUI under VPN > SSL > Personal Bookmarks. This allows administrators to monitor
and remove any unwanted bookmarks that do not meet with corporate policy
From the CLI of the FortiGate, administrators can create bookmarks for different users. These
bookmarks appear even if the user bookmark option is disabled in the portal, as that option only
effects the users ability to create and modify their own bookmarks.
284
DO NOT REPRINT
FORTINET
SSL VPN
Depending on the type of bookmark an administrator wants to create, they may need to enter
additional information during configuration, such as URLs for websites, and folders for FTP sites to
name a few.
Only three types of bookmarks can be used if employing the Port Forwarding method (an extension
for web-only mode): citrix, portforward, and rdpnative. Citrix and RDP native are specific for that kind
of traffic. Portforward is a generic type of bookmark that you can customize to suit the traffic.
285
DO NOT REPRINT
FORTINET
SSL VPN
Instead of just adding bookmarks on a per-user basis, administrators can also add bookmarks on a
per-portal basis. This allows bookmarks to appear for all users who log in to that particular portal.
These bookmarks use the exact same configuration options that personal bookmarks do, but can be
configured from the GUI, rather than the CLI. Users cannot modify administrator-added bookmarks,
whether they are created on a per-user or per-portal basis.
286
DO NOT REPRINT
FORTINET
SSL VPN
To add flexibility to your SSL VPN deployment, you may consider configuring Realms. Realms are
custom login pages, usually for user groups, such as your Accounting team and your Sales team, but
can be for individual users as well. With realms, users and user groups can access different portals
based on the URL they enter. This is unlike a default deployment, where SSL VPN login is handled by
going directly to the FortiGates IP address. With different portals, you can customize each login page
separately as well as limit concurrent user logins separately.
Example of Realms on a FortiGate:
HTTPS://192.168.1.1
HTTPS://192.168.1.1/Accounting
HTTPS://192.168.1.1/TechnicalSupport
HTTPS://192.168.1.1/Sales
287
DO NOT REPRINT
FORTINET
SSL VPN
Since SSL VPNs are methods for people outside your network to connect to resources inside your
network, you must take appropriate measures to ensure the safety and security of the information in
your network. There are multiple options and settings available to help secure SSL VPN access. In
this lesson, well cover client integrity checking and restricting host connection addresses.
288
DO NOT REPRINT
FORTINET
SSL VPN
When a user connects to your network through SSL VPN, a portal is established between your
network and the user PC. The VPN session is secured natively in two ways: the connection is
encrypted and the user must log in with their credentials, such as a user name and password.
However, you can configure additional security checks to increase the security of the connection.
One method of increasing your security is through client integrity checking. Client integrity ensures, to
some extent, that the connecting computer is secure by checking whether specific security software,
such as antivirus or firewall software, is installed and running. This feature only supports Microsoft
Windows clients, as it accesses the Windows Security Center to perform its checks. Alternatively, you
can customize this feature to check the status of other applications by using their Globally Unique
Identifier (GUID). The GUID is a unique ID in the Windows Configuration Registry that identifies each
Windows application. Client Integrity can also check the current software and signature versions for
the antivirus and firewall applications.
289
DO NOT REPRINT
FORTINET
SSL VPN
The Client Integrity check is performed when the VPN is still establishingjust after user
authentication has finished. If the required software is not running on the clients PC, the VPN
connection attempt is rejected even with valid user credentials.
Client Integrity is enabled per web portal and only by using CLI commands.
The list of recognized software along with the associated registry key value is available through the
CLI. Software is split into three categories: AntiVirus (av), Firewall(fw), and Custom. Custom is used
for customized or proprietary software that an organization may require. Administrators can only
configure these settings through the CLI.
The disadvantage of enabling Client Integrity checking is that it can result in a lot of administrative
overhead. First, all users must have their security software updated in order to successfully establish a
connection. Second, software updates can result in a change to the registry key values, which can
also prevent a user from successfully connecting. As such, administrators must have in depth
knowledge of the Windows operating system and subsequent registry behavior in order to properly
make extended use of, as well as maintain, this feature.
290
DO NOT REPRINT
FORTINET
SSL VPN
The second method you can use to help secure SSL VPN access is restricting host connection
addresses. Setting up IP restriction rules can be very useful when considering proper security
configuration. Not all IPs need, or should be allowed, access to the login page. This method allows
you to set up rules to restrict access from specific IPs. One simple rule is to allow or disallow traffic
based on Geographic IP addresses.
The default logic allows all IPs to connect. From the CLI, you can configure the VPN SSL setting to
disallow specific IPs.
291
DO NOT REPRINT
FORTINET
SSL VPN
To monitor remote user connections, you can view the SSL VPN Monitor table, accessible through the
GUI under VPN > Monitor > SSL VPN Monitor. This table shows all the SSL VPN users currently
connected to the FortiGate device. It displays the user names, IP addresses, and connection times.
In the table, a subsession row below a user means the user has brought up an SSL VPN tunnel. No
subsession row below the user means the user is only connected to the web portal page. Whether the
VPN tunnel is activated with the Web Portal widget or the standalone client, they appear the same
way in the SSL VPN Monitor table.
292
DO NOT REPRINT
FORTINET
SSL VPN
When an SSL VPN is disconnected, either by the user or through the SSL VPN idle setting, all
associated sessions in the FortiGate session table are deleted. This prevents reuse of
authenticated SSL VPN sessions (not yet expired) after the initial user terminates the tunnel.
The SSL VPN user idle setting is not associated with the firewall authentication timeout
setting. It is a separate idle option specifically for SSL VPN users. A remote user is
considered idle when the FortiGate does not see any packets or activity from the user within
the configured timeout period.
293
DO NOT REPRINT
FORTINET
SSL VPN
There are four mandatory steps that must be followed in order to configure SSL VPN. The fifth step is
optional and only necessary to allow access to internal resources.
Configuration does not need to be done strictly in this order. However there are several places where,
if certain options are not configured ahead of time, you are prevented from making further
configurations.
294
DO NOT REPRINT
FORTINET
SSL VPN
The first step is to create the accounts and user groups for the SSL VPN clients. User and group
creation was previously covered in the Firewall Authentication module.
All the FortiGate authentications methods, with the exception of the Remote Password Authentication
using the FSSO protocol, can be used for SSL VPN authentication. This includes Local Password
Authentication and Remote Password Authentication (using the LDAP, RADIUS, TACACS+, and
POP3 protocols). Two-Factor Authentication, with or without FortiToken, is also supported.
295
DO NOT REPRINT
FORTINET
SSL VPN
The second step is to configure the portal. A portal is simply a webpage that contains tools and
resource links for the users to access.
Options on the portal can be enabled or disabled to allow or deny access. Options such as tunnel
mode, links for downloading FortiClient, predefined bookmarks, and more. You can individually
configure and link each portal to a specific user group and/or user so they only have access to
required resources.
There are several different theme options that provide different color coding to the portals as well.
296
DO NOT REPRINT
FORTINET
SSL VPN
This is a sample of an SSL VPN portal page after the user logs in.
It contains various widgets, based on the configuration of the portal. The Bookmarks and
Connection Tool widgets are for web-only mode. The Tunnel Mode widget activates tunnel mode
through the browser. The standalone client can link into that directly, though the user must have
access to a portal that contains the client.
297
DO NOT REPRINT
FORTINET
SSL VPN
The third step to configuring SSL VPN is to configure the general settings. First, well talk about the
connection settings specifically, and then later, the tunnel mode client settings, and the authentication
portal mapping settings.
As with any other HTTPS web site, the SSL VPN portal presents a digital certificate when users are
connecting. By default, the presented certificated is self-signed, which triggers the browser to show a
certificate warning. To avoid the warning, you should use a digital certificate signed by a Certificate
Authority (CA) known to the browser. Alternatively, you can load the digital certificate into the browser
as a trusted authority. Certificates are covered in more detail in the Certificate Operations lesson.
By default, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can
change this timeout through Idle Logout settings in the GUI. Note that it is separate from the
authentication idle timeout discussed in the firewall authentication lesson.
Also by default, the port for the SSL VPN portal is 443, which means that users need to connect using
HTTPS to the IP address of the FortiGate device and to port 443 (which is also the standard port for
the administration HTTPS protocol).
298
DO NOT REPRINT
FORTINET
SSL VPN
In a default configuration, the SSL VPN login portal and the administrator login for HTTPS both use
port 443.
This is convenient because users do not need to specify the port in their browser. For example,
https://www.example.com/ automatically uses port 443 in any browser. This is considered a valid
setup on the FortiGate because you generally dont access the SSL VPN login through every
interface. Likewise you generally dont enable administrative access on every interface of your
FortiGate. So even though the ports may overlap, the interfaces that each one uses to access may
not.
If SSL VPN and HTTPS admin access both use the same port, and are both enabled on the same
interface, only the SSL VPN login portal will appear. In order to have access to both on the same
interface, you need to change the port number for one of the services. This will effect the port number
for that service on all interfaces.
299
DO NOT REPRINT
FORTINET
SSL VPN
Once you set up your SSL VPN connection settings, you can define your Tunnel Mode settings. When
users connect, the tunnel is assigned an IP address. You can choose to use the default range or
create your own range. The IP range determines how many users can connect concurrently.
DNS Servers will only be effective if DNS traffic is sent over the VPN tunnel. Generally this will only
be the case when split tunnel mode is disabled and all traffic is being sent from the client PC across
the tunnel.
300
DO NOT REPRINT
FORTINET
SSL VPN
The last part of step three is to set up the authentication rules that map users to the appropriate portal
and realm. These settings allow different groups of users to access different portals and/or realms.
The default rule applies to the root realm and must be present, otherwise an error message appears
that prevents any setting changes from being saved.
In the above example, accountants and teachers only have access to their own realms. If they need
access to the root realm to see the student portal, you would need to add an additional authentication
rule.
301
DO NOT REPRINT
FORTINET
SSL VPN
The fourth, and last, mandatory step to configure SSL VPN involves creating firewall policies for login.
SSL VPN traffic on the FortiGate uses a virtual interface called SSL.<vdom>. Each VDOM contains a
different virtual interface based on its name. By default, if VDOMs are not enabled then the device
operates with a single VDOM called root. VDOMs are covered in more detail in the FCNSP module on
Virtual Networking.
In order to activate and successfully log in to the SSL VPN portal, there must be a firewall policy that
goes from the SSL VPN interface to the interface that is listening for the SSL VPN login, that includes
all of the users/groups that can log in as the source.
If there are multiple interfaces listening for a login than all of them must be specified, either with
different policies or in the same policy. Without a policy like this, no login portal is presented to users.
302
DO NOT REPRINT
FORTINET
SSL VPN
In this example, there are three different user groups that log in remotely: Teachers, Accountants, and
Students.
In order to enable authentication, you must create a firewall policy with the source interface as ssl.root
that includes those three groups for the source. That firewall policy will enable the login portal and
allow those groups to authenticate. It will also allow those groups to access resources and bookmarks
that are beyond the wan1 interface. Without a firewall policy that is SSL.<vdom> to the interface that
the user is trying to connect from, no login portal will be presented.
If there are resources behind other interfaces that tunnel mode users need access to, then you need
to create additional policies that allow traffic from ssl.root to exit those interfaces. If resources inside
are allowed to initiate traffic to hosts on the other side of the SSL Tunnel, then policies need to be in
place to allow that.
303
DO NOT REPRINT
FORTINET
SSL VPN
As an optional step, you can create firewall policies for traffic to the internal network. Any traffic that
gets generated by the users of the SSL VPN exits from the ssl.<vdom> interface. This includes not
only tunnel mode traffic, but traffic generated by the widgets on the web portal page.
The firewall policy discussed in step four allows login and access to external resources. As such,
policies should be created to allow users access to resources inside the network.
304
DO NOT REPRINT
FORTINET
SSL VPN
305
DO NOT REPRINT
FORTINET
In this lesson, we will show you how to set up site-to-site IPsec VPN.
VPNs are heavily used in todays IT infrastructure to join private corporate networks across the Internet.
IPsec is an RFC standard. Whether you have FortiGate devices only or mix in another vendors devices,
the principles are essentially the same.
306
DO NOT REPRINT
FORTINET
After completing this lesson, you should have these practical skills that you can use to set up a simple
IPsec tunnel for a site-to-site VPN.
During this, we will explain how to choose between configuring a policy-based or route-based VPN. You
will also learn how to verify the status of each tunnel.
307
DO NOT REPRINT
FORTINET
A Virtual Private Network (VPN) allows people in remote places separated by the Internet to securely
access resources on your local network. For example, if workers are traveling or working from home,
you can use a VPN to give LAN access to them. You can also use a VPN to interconnect multiple
campuses.
There are multiple types of VPN: PPTP, L2TP, SSL VPN, and IPsec are popular choices.
PPTP is fast, but security is weak, and easily defeated.
IPsec requires a gateway or installation of client software. So it is more complicated to set up for
mobile users than SSL VPN, where they can simply utilize their web browser instead.
SSL VPN is designed for tunnels between a single client and a LAN, not between entire offices.
Because of this, many networks now use a combination of SSL VPN for mobile user access
and Ipsec or L2TP for tunnels between offices.
Often, tunnel is used as a synonym for VPN, although not all VPNs technically are tunnels, as we will
see in a minute.
308
DO NOT REPRINT
FORTINET
309
DO NOT REPRINT
FORTINET
When we say the IPsec protocol, what layers & protocols are we talking about?
IPsec injects itself above the third layer: IP. Whats encapsulated? It depends on the mode. IPsec
can operate in two modes: transport mode, or tunnel mode.
Transport mode directly encapsulates what would usually be the fourth layer (TCP transport, for
example) and above.
Once the IPsec encapsulation is removed, there is no additional routing layer left. Thats why its also
called direct peer-to-peer or client-to-client. So this mode is not technically a tunnel, even though
many people use the word VPN and tunnel interchangeably. (Tunneling technically means
encapsulating an IP packet inside another IP packet.) Transport mode does not traverse NAT well
especially carrier-grade symmetric NAT and depending on the case, may require NAT Traversal,
ALG or hole punching, or may not work. This is because port numbers are inside the encrypted ESP
payload.
Tunnel mode is a true tunnel. Encapsulation first adds a second IP layer, then the original transport
layer (TCP, UDP, etc.). The second IP layer contains a private network that is routable on the remote
network. Once the IPsec packet reaches the remote LAN, and is unwrapped, the packet can
continue on its journey.
To fit an IPsec packet into the frame, when FortiGate applies ESP, one payload may be split in order to
fit into two packets. So you dont need to adjust frame MTU. But this does mean that you might need
more bandwidth for VPN traffic.
310
DO NOT REPRINT
FORTINET
Lets look at the 2 methods of encapsulation: Which should you choose? Why might some extra
bandwidth be needed? Why is NAT traversal necessary?
Blue underlined parts of each packet are additional bits that are required by ESP. It varies by transport
vs. tunnel mode.
Relative to a non-IPsec packet, notice that the green Layer 4 transport area of the frame is now shorter.
Remember, the 1500 byte default frame MTU has not changed. Payload length is variable, and filled with
padding. So this doesnt always matter. But if the additional ESP bits cause the packet payload to not fit,
then FortiGate must split the payload into multiple frames. IKE is in separate packets, too, and also
requires additional bits to be transmitted.
You are trading some bandwidth for:
Security and,
Routability (in the case of tunnel mode)
Notice that after you remove the VPN-related headers, a transport mode packet cant be transmitted any
further it has no second IP header inside. So its not routable.
Thats OK if the packet is decrypted at an endpoint such as the FortiGate itself (think of encrypted Syslog
tunnels, and some special cases such as multicast, GRE-IPSec and L2TP-IPSec for Windows/Android
clients), but not usually if there are more router hops until the packet reaches its destination. For those
purposes, youll need tunnel mode instead.
Notice, too, that TCP or UDP port numbers are inside the ESP payload. They will be encrypted. So NAT
cant rewrite them for port forwarding or port overloading.
311
DO NOT REPRINT
FORTINET
Because encapsulation styles and other settings vary, and any mismatches cause VPNs to fail, starting
with FortiOS 5.2, there are VPN templates.
You can use these to simplify VPN setup reducing the guesswork about what settings are compatible
between devices.
But sometimes you may need to create a tunnel manually, or pass it though a NAT device. So lets show
you how.
312
DO NOT REPRINT
FORTINET
If youre passing your VPN through NAT devices such as firewalls, it helps to know which protocols to
allow.
Really, IPsec means three separate protocols.
IKE, which is used to authenticate peers, exchange keys, and negotiate the encryption and
checksums that will be used; essentially, it is the control channel,
AH, which is the authentication header the checksums that verify the integrity of the data
ESP, which is the encapsulated security payload the encrypted payload, essentially, the data
channel
So if you need to pass IPsec traffic through another firewall, remember: allowing just 1 protocol or port
number is not enough.
Note that although the IPsec RFC mentions AH, it does not offer encryption, an important benefit. So it is
not used by FortiGate. As a result, you dont need to allow IP protocol 51.
To make a VPN, configure matching settings on both ends whether the VPN is between 2 FortiGates,
or between a FortiGate and FortiClient, or between a 3rd party device and a FortiGate. If the settings
dont match, tunnel setup will fail.
313
DO NOT REPRINT
FORTINET
314
DO NOT REPRINT
FORTINET
On FortiGate, there are two ways a packet can initiate an IPsec VPN: by matching a route, or by
matching a policy. (In our old documentation, route-based used to be called interface-based, and
policy-based used to be called tunnel-based.)
How do you know when to use policy-based or routed-based?
Generally, try to use route-based. It offers more flexibility and control. We can implement very complex
routing scenarios, such as where tunneled traffic is required to be routed with policy-based routing, or if
you require GRE-over-IPsec.
In comparison, policy-based VPNs must be used when the FortiGate is in transparent mode, or if the
other peer requires L2TP-over-IPsec.
315
DO NOT REPRINT
FORTINET
316
DO NOT REPRINT
FORTINET
If you have a simple case like the site-to-site scenario in this lesson use the VPN wizard.
But if you need to tailor your VPN settings, you can still make a custom VPN.
When making a route-based VPN, one additional step is usually required: you must also create a route
to direct VPN traffic to the new virtual interface for IPsec. (If you use the wizard, though, this is done
automatically.)
317
DO NOT REPRINT
FORTINET
When the VPN wizard is completed, FortiGate automatically creates many of the required objects:
Addresses and address groups
Static routes
Policies
Phase 1 and Phase 2 settings
To immediately check the status of your tunnel, click Show Tunnel List. This can be your first test of
whether your VPN is working.
318
DO NOT REPRINT
FORTINET
319
DO NOT REPRINT
FORTINET
320
DO NOT REPRINT
FORTINET
At the end of Phase I, FortiGate uses the Diffie-Hellman method. It uses the public key (that both
ends know) plus a mathematical factor called a nonce in order to generate a common private key.
This is crucial. With Diffie-Hellman, even if an attacker can listen in to the messages containing
the public keys, they cannot determine the secret key. This is why it works even with a weakly
authenticated IKE channel, where a user name and password and FortiToken have not been
exchanged, for example.
The new private key is used to calculate additional keys: for symmetric encryption and authentication.
321
DO NOT REPRINT
FORTINET
If your VPN must pass through a NAT device, as we mentioned, ESP encryption would normally prevent
the NAT device from being able to read and remap the port numbers inside.
To solve this, Phase I was extended. It added NAT traversal, also called NAT-T. When NAT-T is
enabled in both ends, peers can detect any NAT device along the path. If NAT is found, then:
Both Phase 2 and remaining Phase 1 packets change to UDP port 4500
FortiGate and client encapsulate ESP within UDP port 4500
So if you have two FortiGates that are behind, for example, an ISP modem that has NAT, you will
probably need to enable this setting.
322
DO NOT REPRINT
FORTINET
Once details such as dead peer detection, NAT, and symmetric keys have been determined, your
FortiGate is ready to establish the real SA that is, IPsec SA which defines the ESP channel that will
be used to encapsulate and transmit data through the VPN.
It does this via IKE Phase II.
There can be 1 tunnel for Phase I, but 2 or more tunnels for Phase II. Lets see how.
323
DO NOT REPRINT
FORTINET
Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins.
Phase 2 negotiates security parameters for the IPsec SA not to be confused with the IKE SA. It is this
IPsec SA not IKE that ESP will use to transmit data between LANs.
IKE Phase 2 does not end once ESP begins. Phase 2 periodically renegotiates cryptography. This
maintains security. Also, if you enable Perfect Forward Secrecy, each time the Phase 2 session
key expires, FortiGate will use Diffie-Hellman to recalculate a new common secret key. So even if
the same encryption algorithms are selected each time, the ESP tunnel will be changing to use a
different private key, making it much harder for an attacker to crack the tunnel.
Each Phase 1 can have multiple Phase 2. When would this happen?
For example, you may want to use different encryption keys for each subnet whose traffic is crossing the
tunnel. How does FortiGate select which Phase 2 to use? The Quick Mode setting.
Additionally, most traffic is two-way traffic. So this means there are usually two tunnels, and two ESP
SAs: one for each direction.
324
DO NOT REPRINT
FORTINET
During Phase 2, we must configure a pair of settings called Quick Mode Selectors. They identify and
direct traffic to the appropriate Phase 2 if there are multiple.
In other words, it allows granular SAs.
Selectors behave similarly to a firewall policy. VPN traffic must match selectors in one of the Phase 2
SAs. If it does not, the traffic is dropped.
When configuring selectors, specify the source and destination IP subnet that will match each Phase
2. You can also specify the protocol number, and source and destination ports for the allowed traffic.
In point-to-point VPNs, such as when connecting a branch office FortiGate to headquarters
FortiGate, both sides configuration must mirror each other.
Quick mode selectors for dial-up VPNs are different, and details are in the advanced IPsec lesson.
325
DO NOT REPRINT
FORTINET
Once all settings are configured, each time that a host on your local LAN sends a packet where the
destination is on the remote LAN, FortiGate should automatically bring up the VPN tunnel. It should
remain available for some time, as long as the tunnel is being used.
326
DO NOT REPRINT
FORTINET
If you need detailed control of your VPN, such as for IKE version 2, you can still configure it manually.
327
DO NOT REPRINT
FORTINET
If you are configuring a custom VPN, you can start from the wizard. Click Custom VPN Tunnel (No
Template).
Configure the remote FortiGates WAN IP address, and indicate which network interface on this local
FortiGate is the gateway that leads to it. FortiGate will use this to connect to the other end.
If your peers use pre-shared keys for the initial (IKE) authentication, both peers must be configured with
the same pre-shared key. For Phase 1, choose which encryption and authentication to propose, and so
on. They should match, too. If peers cant agree on IKE security, even Phase 1 wont be established. So
if in doubt, make sure Phase 1 and Phase 2 settings on both FortiGates match.
328
DO NOT REPRINT
FORTINET
You already identified the other FortiGates WAN IP (the Remote Gateway), so now also indicate your
local FortiGates WAN IP. Remember: during IKE, each side must have some way to identify its peer so
that it can label the IKE SA.
Once Phase 1 completes, Phase 2 begins. This sets up the ESP tunnels that will be used for actual data
transfer. For each subnet on each end of the VPN, you can specify different levels of ESP security. For
example, connections to the Finance LAN might need larger key sizes and stronger authentication. To
do this, configure multiple Phase 2 entries. For simplicity, here, we show only one Phase 2: the Local
Address is our LAN, and the Remote Address is the remote LAN.
Remember that if traffic doesnt match an IPsec SA, the IPsec engine will drop the packet. Usually,
its more intuitive to filter traffic with firewall policies. So if you dont want to use SA filtering, you can just
set the quick mode selectors to be 0.0.0.0/0.
329
DO NOT REPRINT
FORTINET
If you used the wizard for everything, it would have created routes and policies suitable for a route-based
VPN. What if you, for example, have a FortiGate in transparent mode?
Remember, first, you must enable the GUI to show policy-based IPsec options. Configure your phases
as before, then create a policy. When policy-based VPN settings are visible, an additional Action
setting is available when you configure a policy. Choose IPsec. Then choose the policy-mode tunnel
settings.
If you enable Allow traffic to be initiated from the remote site, you only need to make one policy. It will
govern both directions.
330
DO NOT REPRINT
FORTINET
331
DO NOT REPRINT
FORTINET
In route-based VPN, you need to route VPN traffic destined for the remote LAN to the IPsec interface. If
you used the wizard, this was created for you, automatically.
(In a policy-based VPN, traffic is routed to wan1 or another external interface instead. Since there is
usually a default route, which routes all non-local packets towards the Internet, thats why policy-based
VPNs can usually skip this step.)
To do this, usually youll add a static route.
332
DO NOT REPRINT
FORTINET
In the GUI, there is a tool to monitor the status of your IPsec VPNs. Through this tool, you can see how
much traffic has passed through each tunnel. You can also start and stop individual tunnels, and get
additional details.
If the tunnel is up, there will be a green arrow appearing next to its name. If it is down or not in use, then
a red arrow is displayed.
For example, here, simply by looking at the remote Gateway column, you can find a misconfiguration
problem: the IP should be an interface on the remote FortiGate, not a subnet IP. So it is impossible to
bring up.
333
DO NOT REPRINT
FORTINET
This example shows 3 different VPN tunnels: Client_VPN, Home_VPN, and Office_VPN.
The phase 1 Office_VPN appears twice because it has two separate phase 2 associated with the same
phase 1. The other VPNs have one Phase 2 per Phase 1.
For each phase 2, we can see the phase 1 name, key life remaining time, status and the quick mode
selectors.
334
DO NOT REPRINT
FORTINET
If your tunnel is not starting, it helps to know the expected behavior. This varies by type.
This outlines the steps. Depending on whether you are creating a route (interface-based) or policy-based
VPN, FortiGate will use a different mechanism.
One common mistake is to configure a policy-based VPN, but to set the action to ACCEPT and this
causes FortiGate to egress clear text packets, not encrypted ones.
Another common mistake is to route eggressing packets to the wrong port. Remember, route-based
VPNs must egress through the virtual interface, not the WAN.
335
DO NOT REPRINT
FORTINET
Like with any feature, IPsec uses some system resources. Requirements vary by the number of VPNs.
Strong cryptography involving large key sizes can increase resource usage noticeably. Many models of
FortiGate have specialized FortiASIC chips to increase IPsec cryptographic performance, so especially if
you have many tunnels simultaneously, check that your configuration offloads cryptography to these
chips where possible. In some cases, you may be able to offload incoming traffic to one ASIC, and
outgoing traffic to another ASIC.
Details are in the hardware acceleration lesson.
336
DO NOT REPRINT
FORTINET
To review, these are the topics weve talked about. We presented an overview of the IPsec technology,
which includes Internet Key Exchange, phase 1, phase 2, Diffie-Hellman and Quick Mode Selectors. We
also showed the difference between policy-based and route-based VPNs, and how to use the VPN
monitor.
337
DO NOT REPRINT
FORTINET
In this lesson, we will show you how to use antivirus scanning on a FortiGate.
Since antivirus scanning is one of the features that, depending on your configuration
and chosen signature database, can use significant RAM, we will also show you how
to resolve conserve mode.
338
DO NOT REPRINT
FORTINET
After completing this lesson, you should have these practical skills. Not only will you
be able to configure antivirus, but you should have a better understanding of how
virus scanning works, along with knowledge of some tools to help you optimize
memory usage on your FortiGate.
339
DO NOT REPRINT
FORTINET
How old are viruses? In 1949, John Von Neumann gave lectures at the University of
Illinois about what he called self-replicating automata. On ARPANET, the precursor
to the Internet, the first virus, named Creeper, was detected in 1971.
Since then, malicious software has evolved into many types. Technically, although
we often refer to all malware as viruses, not every piece of unwanted software
behaves like a virus malware is not always self-replicating, and sometimes users
willingly install it. To include viruses, worms, Trojans, spyware and all others, we now
use the term malware.
Malware can be divided into 2 major types:
viruses, which infect the computer and spread on their own (generally via an exploit),
such as Flash ad banners whose binaries contain buffer overflow code
grayware which requires some kind of user interaction but convinces them that the
benefit outweighs the cost, such as browser toolbars that also track the users
activity and insert its own ads into web pages
340
DO NOT REPRINT
FORTINET
341
DO NOT REPRINT
FORTINET
Regardless of how the virus spreads, once installed, a virus is somehow malicious.
What makes it malicious? Its behavior. (This is one of the reasons, by the way, that
security analysts use sandboxing such as FortiSandbox to discover new viruses.
Looking at which C functions a virus contains, for example, cannot find all viruses.
Forensics lab must see which functions actually execute, and what the effects are.)
Most people are familiar with spyware, adware, and rootkits. Malware could also be:
Ransomware such as the CryptoLocker worm is fairly new. The software holds the
computer hostage, often encrypting critical user data with a password or secret key,
until the victim pays the extortionist.
Key loggers record key strokes and return them to a remote location including
sending administrator logins and personal email addresses for executives.
Mass mailers transform computers into open relay mail servers for the botnet, often
managed via a remote command and control, sending spam for hire. These are often
operated by organized crime syndicates.
342
DO NOT REPRINT
FORTINET
Just as viruses have evolved many vectors for spreading, they also have evolved
many techniques for evading antivirus engines and manual analysis.
Viruses can encrypt their payloads, or change the exact code. As a result, when
comparing a signature to the binary sample, the two therefore arent an exact, bit-bybit match. So in order to detect the virus, the engine must be able to either:
match flexibly, or
ignore the changeable parts of the code, and match only based on the polymorphic
or metamorphic engine.
343
DO NOT REPRINT
FORTINET
Now that you know some different ways that viruses spread and evade detection,
what are some methods that FortiGate uses to find and block them?
344
DO NOT REPRINT
FORTINET
At the host level, a host-based antivirus software such as FortiClient helps. But hostbased antivirus cant be installed on routers. Guest Wi-Fi networks and ISP
customers also might not have antivirus software installed. So how can you protect
them? And how can you protect your own network from these botnets?
The solution is to implement antivirus in your network security on your FortiGate.
Just like viruses have many ways that they try to avoid detection, FortiGate has
many techniques that it can use to detect them. Lets explain each method.
345
DO NOT REPRINT
FORTINET
The first, fastest, simplest way to detect malware is if it exactly matches a signature.
Grayware is not technically a virus; remember, it is often bundled with innocuous
software, but it does have unwanted side effects, so it is categorized as malware.
Often, grayware can be detected this way, with a simple FortiGuard Antivirus
signature.
But for the reasons we just described, viruses usually cannot be detected this way.
346
DO NOT REPRINT
FORTINET
What is another way that FortiGate can use to detect viruses? It can look for
attributes that viruses usually have in other words, it can apply heuristics.
Heuristics are based on probability, so they increase the possibility of false positives,
but they also can detect zero-day viruses viruses that are new and unknown, and
therefore no signature exists yet. That is the tradeoff. If your network is a frequent
target for virus-writers, enabling heuristics may be worth the performance cost
because it can help you to detect a virus before the outbreak begins.
By default, when the antivirus scans heuristic engine detects a virus-like
characteristic, it will log the file as Suspicious but will not block it. Suspicious files
can be treated differently from a positive match with a virus or grayware signature:
you can choose whether to block or allow suspicious files.
When should you disable heuristic blocking vs. configure the antivirus scan to only
log detections?
Windows operating system updates often modify the registry. Viruses often do this,
too, however. So, for example, you might apply heuristics scans to Windows
updates, but block suspicious behavior in all other connections.
347
DO NOT REPRINT
FORTINET
Remember, if the antivirus scans heuristic engine finds a suspicious file, it may not
always be a virus. So you might want to configure a separate action for it, or a
separate policy where heuristics is disabled for connections that you know will trigger
false positives.
To configure the action that FortiGate will take if the scan finds a suspicious file, use
these CLI commands.
348
DO NOT REPRINT
FORTINET
What if heuristics is too uncertain? What if you need a more sophisticated, more
certain way to detect malware, and to find zero-day viruses?
You can integrate your antivirus scans with FortiSandbox. For environments that
require more iron-clad certainty, FortiSandbox executes the file within a protected
environment, then examines the effects of the software to see if it is dangerous.
For example, lets say you have 2 files. Both alter the system registry, and are
therefore suspicious. One is a driver installation its behavior is normal but the
second file installs a virus that connects to a botnet command and control server.
Sandboxing would reveal the difference. Then, you can submit a sample of the new
virus to FortiGuard security researchers, and quickly receive and deploy a
FortiGuard Antivirus or IPS update to defend your network against this new threat.
349
DO NOT REPRINT
FORTINET
In order for FortiGate to sandbox files, it must be able to send them to either a
FortiSandbox device or a FortiCloud sandboxing account.
What is the primary difference between the two?
FortiCloud has limits imposed on the amount of data that can be transmitted. Each
account has a quota.
FortiSandbox limitations vary by the models capabilities.
On FortiSandbox, you also must configure it to accept input from your FortiGate or
FortiMail.
350
DO NOT REPRINT
FORTINET
Whether you use FortiSandbox to discover new viruses, or one is discovered by your
own security team, the next step is to develop a signature to detect it so that your
FortiGates can begin to block it.
New viruses can be submitted to FortiGuards security research team manually or
automatically, via FortiSandbox or FortiCloud Sandbox.
If you want to submit a new virus manually, go to the FortiGuard web site. Upload the
file for scanning. If the virus does not currently exist in any of the FortiGuard
Antivirus databases, the web site will report it as being clean. You will then have
the option to submit the sample to FortiGuard analysts. They will develop a signature
for it, as well as engine modifications (if necessary), and this will be in the next
update that your FortiGate and FortiMail devices download from FortiGuard.
In addition to protecting your own network, this obviously also helps to ensure that
others networks wont be infected either. By being part of a united security
community, you can help to stop botnets from growing into large threats. This has
benefits for you, and not just your neighbors. If your neighbors arent infected, your
network wont need to spend as much CPU, RAM, and bandwidth on fighting spam,
worms, DDoS attacks, and other threats.
351
DO NOT REPRINT
FORTINET
Now that weve discussed the types of scans, lets talk about the engines that use
them. They dont behave the same way.
FortiGate has traditional proxies, which break up each session into particular states
which it analyzes, but it can also analyze traffic as a more continuous packet flow.
Lets discuss how to choose between those two types of engine.
352
DO NOT REPRINT
FORTINET
One of the factors when choosing an antivirus engine is speed. Software that is
installed on endpoints such as FortiClient can usually schedule scans for later, pause
the current scan, or scan only with spare CPU cycles when the computer is idle. In
other words, time is not a factor.
But on a network device, this is not possible.
FortiGate must scan quickly to avoid a session or connection timeout. FortiGate will
allow up to 30 seconds for a scan to complete. If it takes longer then that, then a
process called a watchdog terminates the scan, and allows the traffic to pass. Also,
FortiGate creates an event log saying that scanunit crashed with a Signal 14. Its
not a real crash its not abnormal behavior exactly but because the scan is
terminated before completing. From the softwares perspective, thats technically a
crash, so the event log records it as one.
As you can see, speed is an important factor in network antivirus scans. With that in
mind, lets consider the two engines.
353
DO NOT REPRINT
FORTINET
354
DO NOT REPRINT
FORTINET
What is another way to reduce latency? Use the flow-based engine instead.
It doesnt analyze sessions in discrete protocol stages. The flow-based engine scans
the packets as a continuous stream, looking for viral payloads regardless of
surrounding protocol details. Depending on your model, some flow-based operations
may be performed by a specialized FortiASIC chip, further improving performance.
But flow-based scans cant support all features that proxy-based scans can.
The flow-based engine doesnt operate according to the rules of the protocol. This
means that even if the scan later detects a virus, the flow-based engine may have
already forwarded packets where it should have inserted a block message. So the
client may think it is a network error, and try again. Also, much like a proxy with client
comforting enabled, the flow-based engine forwards packets at the same time as
scanning the payload. The result? The client may already have received most of a
virus by the time that the scan drops the connection. Like with client comforting, if
your environment requires very high security, you may want to avoid this option.
Regardless of which engine you use, the scan techniques will give similar detection
rates. How can you choose between the scan engines? If performance is your top
priority, then flow-based is more appropriate. If security is your priority, proxy-based
with client comforting disabled is more appropriate.
355
DO NOT REPRINT
FORTINET
Both engines buffer up to your specified file size limit. The default is 10 MB. Its large
enough for most files except movies. If your FortiGate model has more RAM,
though, you may be able to increase this threshold.
Without a limit, very large files could exhaust scan memory. So this threshold
balances risk vs. performance. Is this tradeoff unique to FortiGate, or to a specific
model? No. Regardless of vendor or model, you must make a choice. This is due to
the difference between scans in theory, that have no limits, and scans on real-world
devices that have finite RAM. In order to detect 100% of malware regardless of file
size, a firewall would need infinitely large RAM something that no device has in the
real world.
Most viruses are very small. So percentage-wise unless many viruses are Trojans
appended to the very end of a large file changing this value doesnt impact security
very much. This table shows a typical tradeoff. You can see that even with a 5 MB
threshold, only 0.14% of spyware passes through. But after billions of packets,
several hosts may require disinfection.
356
DO NOT REPRINT
FORTINET
357
DO NOT REPRINT
FORTINET
Relatedly, large files are often compressed. From the scans perspective, this is light
encryption. It wont match signatures. So FortiGate must decompress the file in order
to scan it.
When decompressing, FortiGate must first identify the compression algorithm. Some
archive types can be correctly identified using only the header. Also, FortiGate must
check whether the file is password-protected. If the archive is protected with a
password, FortiGate cant decompress it, and therefore cant scan it.
FortiGate then decompresses files into RAM. Just like other large files, this buffer
has a maximum size: uncompress-oversize-limit. Increasing this limit may decrease
performance, but allows you to scan larger compressed files.
If an archive is nested for example, if an attacker is trying to circumvent your scans
by putting a ZIP file inside the ZIP file FortiGate will try to undo all layers of
compression. By default, FortiGate will attempt to uncompress and scan up to 12
layers deep, but you can configure it to scan up to 100 layers deep. Often, you
shouldnt increase this setting, though. It increases RAM usage, and if a file is
repeatedly compressed more than 12 times, it is almost always a virus anyway.
358
DO NOT REPRINT
FORTINET
359
DO NOT REPRINT
FORTINET
If the file has been completely transmitted that is, FortiGate reaches the byte that
marks the end of the file (EoF) then FortiGate decompresses the file (if applicable)
and uses these scans, in this order.
The virus scan is first, because the results have high certainty and the computations
are fast. Heuristics, which are less certain, are applied last.
360
DO NOT REPRINT
FORTINET
If you consider all of the settings together, this is the complete decision tree that
FortiGate uses for antivirus scans.
361
DO NOT REPRINT
FORTINET
When an attacker releases a new virus into the wild, like with all antivirus software,
your FortiGate must be updated with a matching signature so that it can detect it.
Most organizations dont have the personnel to dedicate to writing antivirus
signatures, 24 hours a day, 7 days a week. Even if you do, it is usually beneficial to
share security knowledge and workload. A FortiGuard Antivirus service contract
provides your FortiGate with access to the latest signatures and detection engines
from Fortinets security research team.
362
DO NOT REPRINT
FORTINET
You can update your FortiGates antivirus signatures and engines via either push,
pull, or both methods. (If temporary packet loss, for example, interferes with the push
method, also enabling pull as a backup method helps to ensure that your FortiGate
will not miss any updates.)
Regardless of which method you select, virus scanning must be enabled in at least
one firewall policy. Otherwise, FortiGate will not download any updates.
Alternatively, you can download packages from the Fortinet Technical Support web
site, and then manually upload them to your FortiGate.
363
DO NOT REPRINT
FORTINET
diagnose autoupdate status shows your automatic update options, just like
System > Config > FortiGuard does on the GUI.
364
DO NOT REPRINT
FORTINET
Its worth noting that there is an additional feature to the FortiGuard Antivirus service:
when FortiGate detects connections of infected computers to a botnets command
and control servers sometimes this is an IRC channel, or sometimes this is a
darknet web server FortiGate can block those connections. The setting is in the
antivirus profile.
The FortiGuard security research team compiles and maintains a list of known botnet
command and control server IP addresses. FortiGate downloads this via FortiGuard
Antivirus and IPS updates.
365
DO NOT REPRINT
FORTINET
366
DO NOT REPRINT
FORTINET
Via the CLI, you can choose which database your FortiGate will use.
367
DO NOT REPRINT
FORTINET
Once you have chosen an antivirus database, in order to use antivirus scans, youll
also need to configure an antivirus profile. These profiles contain settings for the
inspection mode (that is, the proxy or flow-based engines), and define what
FortiGate should do if it detects an infected file.
Proxy options also specify the proxies listening port numbers for various
unencrypted protocols. You can scan HTTP, for example, even if the connection
doesnt occur on the IANA standard TCP port 80.
But what about encrypted protocols? Encryption is a popular method for attackers to
circumvent security. So as you would expect, FortiGate can scan encrypted
protocols. But that isnt configured here.
368
DO NOT REPRINT
FORTINET
For secure protocols (HTTPS, FTPS, etc.), the proxies are configured in a different
profile type: the so-called SSL inspection profiles.
Encrypted protocols can be inspected to a greater or lesser extent, depending on
what you select.
SSL Certificate inspection only validates certificate information, such as the issuing
CA. This type cannot inspect the contents of the traffic, which are inside the
encrypted payload.
Full SSL Inspection validates the certificate, but also decrypts the payloads for
antivirus scanning. Because this method uses an authorized man-in-the-middle
(MITM) attack, clients will detect the inspection. Users may need to either override
the SSL validation failure, or install your CA certificate.
Certificate-based inspection is described in detail in another lesson.
369
DO NOT REPRINT
FORTINET
Virus scanning statics can be found on the FortiGate dashboard, on the Advanced
Threat Protection Statistics widget.
If your FortiGate is submitting files for sandboxing, then it keeps statistics about the
number of files submitted, and the results of those scans. These statistics are
separate from files that are scanned locally on the FortiGate.
370
DO NOT REPRINT
FORTINET
When the antivirus scan detects a virus, by default, it creates a log about what virus
was detected, and by which method. It also provides a link to more information on
the FortiGuard web site.
371
DO NOT REPRINT
FORTINET
If the antivirus logs are empty, this doesnt mean your network has no outbreak.
Before, we showed how to pass a file if it is too large for scan buffers, is passwordencrypted, or has too many layers of nested compression. Logging can be disabled
for those. We also explained the flow-based engine, and client comforting by the
proxy-based engine. Even if FortiGate detected a virus and reset the connection,
some or all of the virus could have been transmitted before then. And when choosing
an antivirus database, we said that if you trade some security for better performance,
some viruses may pass through. We also explained zero-day exploits.
If any of that happens, how can you submit a sample of a suspected virus, or get
information on how to disinfect those hosts?
Visit the FortiGuard web site, http://www.fortiguard.com.
In the example here, this antivirus signature is only in the extended database for
FortiClient. What does this mean? Unless you have a FortiGate model that can use
the extreme database, and you have enabled it, your firewall would not have been
able to detect that specific virus. If you have vulnerable Android hosts, and
FortiClient was installed, they would have been safe. But if they were not protected,
you would need to apply the recommended action to disinfect them.
372
DO NOT REPRINT
FORTINET
If your antivirus scans are not functioning as you expect, where should you begin
troubleshooting?
Verify that FortiGuard updates are enabled, and that you have selected antivirus
profiles in your firewall policies. Updates wont occur if there is no firewall policy that
uses them, and antivirus scans wont occur unless a firewall policy applies them.
If automatic updates are enabled, the next thing to examine is whether those
scheduled update requests are succeeding. For that, use the command diagnose
autoupdate version.
It shows details about the antivirus engine and databases, IPS engine and
definitions, geography-to-IP mappings database, and other features.
It also shows your FortiGuard contract status FortiGate wont be able to download
updates if its not authorized and when the last update was attempted, and
succeeded.
373
DO NOT REPRINT
FORTINET
374
DO NOT REPRINT
FORTINET
If your FortiGates RAM usage is high, the next thing to examine is the event log.
Look for messages about conserve mode. Conserve mode occurs when FortiGate
does not have enough RAM available to properly handle traffic.
UTM such as antivirus is not required to be enabled for conserve mode to occur, but
UTM inspection does increase memory usage beyond simple firewall policies. In
other words, conserve mode is more possible when antivirus or IPS is enabled. You
can determine whether antivirus is using much of the memory by running the
command diagnose sys top.
There are a few categories of RAM conservation. Lets show the difference.
375
DO NOT REPRINT
FORTINET
Kernel conservation mode is when FortiOS specifically does not have enough
memory available. Theres no single cause, but it could be processes
simultaneously opening too many files, too much information on the stack, etc.
System conservation mode indicates a lack of RAM for processes and daemons
such as miglogd. The threshold is whenever the overall memory usage reaches
about 80%. Once triggered, FortiGate will not exit this mode until memory has
dropped by 10% to approximately 70%.
Proxy conservation mode is when the transparent UTM proxy runs out of available
sockets. The maximum number of proxied connections varies by model.
In kernel conservation, the behavior is not configurable. It is a critical lack of RAM.
But behavior for system and proxy RAM conservation is configurable. Lets see the
settings that you can use.
376
DO NOT REPRINT
FORTINET
av-fail-open is the CLI setting that controls FortiGates behavior while it is in system
conserve mode.
Depending on your configuration and traffic types, each option may be more or less
effective at freeing RAM.
377
DO NOT REPRINT
FORTINET
If av-failopen-session is enabled, then FortiGate will act according to the avfailopen setting. Otherwise, by default, it will block new sessions until RAM becomes
available.
378
DO NOT REPRINT
FORTINET
During kernel conservation mode, FortiGate attempts to reclaim memory that is not
in use.
In an operating system, when a process releases memory, it is not immediately
reclaimed. There is a garbage collector memory daemon that periodically finds
unused pointers. As part of this process, FortiGate drops any sessions that the proxy
considers idle.
While FortiGate is in this type of conserve mode, all new sessions will pass through
the FortiGate without any UTM inspection, because the operating system does not
have enough memory to do so.
379
DO NOT REPRINT
FORTINET
Because logging itself requires some RAM, depending on the type of conserve
mode, log messages may not always immediately appear. Kernel conserve mode
especially may not appear easily.
Creating a log entry takes up memory. While in conserve mode, your FortiGates
operating system is doing everything possible to prevent RAM usage from
increasing. Trying to create a log entry while conserve mode is active would be
counterproductive.
If your FortiGate is in one of the three conserve modes, how can you correct it?
380
DO NOT REPRINT
FORTINET
This shows the shared memory diagnostic. It indicates what type of conserve mode
(if any) your FortiGate is in. It also provides a quick summary of how much shared
memory is being used on your FortiGate.
The antivirus database is one of the things on your FortiGate that uses shared
memory, so if this is very high, you can try to solve the problem by switching from the
extended signature database to the regular database, for example.
Notice that this command doesnt show kernel conserve mode, however. How can
you determine how much kernel memory is used?
381
DO NOT REPRINT
FORTINET
diagnose firewall iprope state has a section right at the beginning with an entry for
av_break.
Normally, the av_break option will be pass/off. But if FortiGate is currently in kernel
conserve mode, this command will show av_break=pass/pass. If this is very
common, and youve checked your configuration, you may need to examine the
traffic levels and protocol types. Your network may have grown or changed in
important ways, and need a more powerful model capable of supporting the added
or changed traffic.
Much of the other output of this command is dictated by the settings for av-failopen
and av-failopen-session and will change based on the configured options.
382
DO NOT REPRINT
FORTINET
383
DO NOT REPRINT
FORTINET
Explicit Proxy
In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.
384
DO NOT REPRINT
FORTINET
Explicit Proxy
After completing this lesson, you should have these practical skills.
You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy.
Since you can alternatively use an implicit proxy, we will also explain why in some cases you might want
an explicit proxy instead.
385
DO NOT REPRINT
FORTINET
Explicit Proxy
A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available,
it forwards the request to the server on behalf of the client.
Two sessions are created: one from the client to the proxy, and another one from the proxy to the server.
How is this different from an implicit proxy, sometimes called a transparent proxy?
386
DO NOT REPRINT
FORTINET
Explicit Proxy
An implicit proxy server does not require any configuration change on the clients. Clients continue to use
the web just like they would without a proxy.
Clients send requests to the web servers IP address and port number. The proxy intercepts the clients
requests transparently that is, at the IP layer, the destination address doesnt change.
Does this mean that implicit proxies dont require any configuration changes, anywhere? Not
necessarily.
Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is
already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if
clients traffic isnt currently routed through FortiGate, then you must reconfigure routing so that the
packets will be routed through FortiGate, where the implicit proxy can intercept.
387
DO NOT REPRINT
FORTINET
Explicit Proxy
388
DO NOT REPRINT
FORTINET
Explicit Proxy
How do you configure users web browsers to use an explicit web proxy?
In large networks, you wont configure the browser settings individually, on each computer; instead, for
example, you may use an Active Directory login script or roaming profile.
Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web
proxy autodiscovery protocol (WAPD).
Lets look at each.
389
DO NOT REPRINT
FORTINET
Explicit Proxy
With manual configuration, you must provide one proxys FQDN or IP address. It is limited to only one
proxy.
If you want to exempt specific IP addresses, subnets and FQDNs from using the proxy, you can add
them to a list. For those destinations, the browser will send requests directly to the web servers.
390
DO NOT REPRINT
FORTINET
Explicit Proxy
The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file
contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the
destination.
This method supports use of multiple proxy servers.
To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your
FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the
PAC files URL. Again, in larger networks, you usually wont do this individually; instead, you will use
your domain to define the PAC files URL.
391
DO NOT REPRINT
FORTINET
Explicit Proxy
392
DO NOT REPRINT
FORTINET
Explicit Proxy
Browsers can automatically discover the URL where the PAC files is located via the web proxy autodiscovery protocol.
There are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP
server.
Most browsers try the DHCP method first. If it fails, they try the DNS method.
393
DO NOT REPRINT
FORTINET
Explicit Proxy
394
DO NOT REPRINT
FORTINET
Explicit Proxy
395
DO NOT REPRINT
FORTINET
Explicit Proxy
Usually, you will enable the proxy to cache responses from web servers.
A web cache stores responses from web servers so that the next time a client requests the same thing,
FortiGate can quickly send the cached content, instead of forwarding the request and waiting for the
response. This reduces WAN bandwidth usage, server load, and delay. We will review how web caching
works in the next slides.
396
DO NOT REPRINT
FORTINET
Explicit Proxy
397
DO NOT REPRINT
FORTINET
Explicit Proxy
398
DO NOT REPRINT
FORTINET
Explicit Proxy
Given that cache consumes system resources, do you want all users to be able to use the cache?
You can configure FortiGates HTTP proxy to allow access only to authenticated users that belong to
specific user groups. Authentication can be either based on either source IP address or HTTP session
cookies.
How should you decide which to use?
IP-based authentication requires less RAM to remember the authenticated sessions. However, it should
only be used when each user has a different IP address from the perspective of the source address in
the IP header.
If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP
session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its
requests. The cookie identifies the users sessions. This method requires slightly more RAM because
FortiGate must remember all session cookies. However, it can even differentiate the same person using
multiple accounts multiple tabs in multiple browsers.
399
DO NOT REPRINT
FORTINET
Explicit Proxy
What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP
session-based authentication?
If a user connects and the request doesnt have any associated authentication session, first FortiGate
replies to the browser, requesting login credentials. The browser prompts the user to authenticate, and
remembers the authenticated state by storing a cookie.
If the same user makes more requests later, the browser automatically sends the same cookie again.
FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not
need to authenticate for every request only the first time.
400
DO NOT REPRINT
FORTINET
Explicit Proxy
These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of
each step next.
401
DO NOT REPRINT
FORTINET
Explicit Proxy
By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboards
Features widget, enable explicit proxy.
402
DO NOT REPRINT
FORTINET
Explicit Proxy
Once explicit proxy settings are visible in the GUI, you can enable and configure them.
You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose
the default action that FortiGate will take if there is any traffic that doesnt match a proxy policy.
We will talk about the proxy policies later.
403
DO NOT REPRINT
FORTINET
Explicit Proxy
After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will
listen for connections.
404
DO NOT REPRINT
FORTINET
Explicit Proxy
The next step is to create explicit proxy policies to specify which traffic and users are allow to use the
proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration
section than the regular firewall policies.
Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection.
Additionally, the use of web caching can be enabled or disabled per policy.
When the proxy traffic matches a proxy policy, the FortiGate take one of three possible actions: Accept
the traffic, deny it, or request authentication before accepting it.
405
DO NOT REPRINT
FORTINET
Explicit Proxy
If you select authentication as the action, you will be presented with the option to add authentication
rules. These rules specify which users and users groups are allowed, and what kind of inspection is
going to be done over each of them.
406
DO NOT REPRINT
FORTINET
Explicit Proxy
Authentication for the explicit proxy behaves differently than it usually does for firewall policies.
With the explicit proxy, FortiGate will not fall through to try the next authentication rule.
FortiGate always applies the first policy that matches all criteria: the source IP address, the destination
IP address, and the outgoing interface. It doesnt evaluate any policy after the first match, even if the
user failed to authenticate with the first rule.
Lets look at an example next.
407
DO NOT REPRINT
FORTINET
Explicit Proxy
In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named
Student.
The second policy allows traffic without authentication only if the source address matches 10.0.0.0/8.
With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated
yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches
the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match.
So FortiGate never applies the second policy for that subnet only for the rest of 10.0.0.0/8.
408
DO NOT REPRINT
FORTINET
Explicit Proxy
In the CLI, if you disable the setting strict-guest, then all users that do not belong to any user
group in the proxy policy will be treated as if they belong to a group named SSO_guest_user. In this
way, you can control their access even if the users cannot authenticate.
409
DO NOT REPRINT
FORTINET
Explicit Proxy
Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the
source and destination.
With HTTP, the destination may appear in both the IP headers destination field, and the HTTP headers
Host: field. They arent always the same. Usually, the Host: header is a FQDN, indicating possibly
an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always
contains an IP address. So if you are matching by using the IP Range object, keep in mind which layer
you are matching, and the effects of NAT at both layers.
Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No.
One type of firewall address object can only be used in proxy policies: the URL pattern object type. The
proxy can match policies based on the requested URL (not only the destination IP address). URL
address objects are used for that purpose.
410
DO NOT REPRINT
FORTINET
Explicit Proxy
In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to
the URL update.microsoft.com. No authentication is required.
All other traffic would match the second policy, which enforces authentication when accessing any other
URL.
411
DO NOT REPRINT
FORTINET
Explicit Proxy
If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to
indicate the file name and listening port number.
As we explained before, the DNS method always assumes that the PAC file is located at:
http://<FortiGate_IP_Address>:80/wpad.dat
So if your clients use the DNS method, you must configure FortiGate to offer the PAC file named
wpad.dat, and to listen for requests for it on port 80.
412
DO NOT REPRINT
FORTINET
Explicit Proxy
Also, you must check that the Local Domain Name setting is properly configured.
This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients requests for
the WPAD file match the FortiGates own HTTP Host: header.
413
DO NOT REPRINT
FORTINET
Explicit Proxy
Once the web proxy is working, you can monitor which users that are connected to it that is, the
proxys session table. You can do this from the GUI, or from the CLI by using the command:
diagnose wad user list
You can also remove all entries from the list of users that are currently
authenticated with the proxy.
414
DO NOT REPRINT
FORTINET
Explicit Proxy
415
DO NOT REPRINT
FORTINET
Web Filtering
In this lesson, we will show you how to filter users access to web sites, which is one of the most
commonly used features employed by network administrators.
416
DO NOT REPRINT
FORTINET
Web Filtering
After completing this lesson, you should have these practical skills. This will give you an understanding
of the various options that are available to manage and track web content.
Familiarity with website design and behavior, as well as the HTTP protocol are useful to understanding
this module.
417
DO NOT REPRINT
FORTINET
Web Filtering
Web filtering is simply a means of controlling, or tracking, the websites people visit. There are many
reasons why a network administrator would want to do this: preserve employee productivity; prevent
network congestion where valuable bandwidth is used for non-business purposes; prevent loss or
exposure of confidential information; decrease exposure to web-based threats; limit legal liability when
employees access or download inappropriate or offensive material; prevent copyright infringement
caused by employees downloading or distributing copyrighted materials; prevent children from viewing
inappropriate material.
418
DO NOT REPRINT
FORTINET
Web Filtering
Proxy-based web filtering is achieved using a transparent proxy intercepting traffic between the client
and server, and setting up a man-in-the-middle. Proxy-based provides he the most flexibility and
configuration options for inspecting web traffic because it intercepts at Layer 7, as such some features
are only available to you when using proxy-based inspection. Greater control comes at a cost, it is also
the most resource intensive in terms of memory and CPU usage, resulting in the slowest throughput.
That said, it is widely used and is a very strong solution on appropriately scaled systems.
419
DO NOT REPRINT
FORTINET
Web Filtering
Flow-based web filtering is achieved by caching traffic intercepted traffic between the client and server,
analyzing the TCP flow: hence flow-based. It provides less flexibility and configuration options for
inspecting web traffic, when compared to proxy-based, because it intercepts at Layer 3 and works with
the Layer 4 data. It does not recover actual files, as the proxy does, so content cannot be sent to
scanunit.
420
DO NOT REPRINT
FORTINET
Web Filtering
Rather than looking at the HTTP protocol, another option is to filter the DNS request that occur prior to
an HTTP Get request. This has the advantage of being very lightweight, but at a cost because it lacks
the precision of HTTP filtering. Every protocol will generate DNS requests in order to resolve a
hostname, therefore this kind of filtering will impact all of the higher level protocols that depend on DNS,
not just web traffic. For example, it could apply FortiGuard categories to DNS requests for FTP servers.
Very few web filtering features are possible beyond hostname filtering, due to the amount of data
available at the point of inspection.
421
DO NOT REPRINT
FORTINET
Web Filtering
Inspection mode is set in the web filter profile. When changing mode, the options displayed will change
because they are dependent on the inspection mode. When a web filter profile using proxy inspection
mode is selected in your firewall policy, a proxy options profile must also be defined. The proxy options
profile defines proxy behaviors as well as the ports to be inspected for web or DNS traffic. HTTPS
inspection port numbers, and other settings related to the handling of SSL, are defined separately in the
SSL/SSH inspection profile.
422
DO NOT REPRINT
FORTINET
Web Filtering
Lets summarize the different modes. Proxy-based caches traffic, so it can cause a noticeable delay
depending on the file size, oversize limit and connection speed. It does, however, support a greater
number of web filtering features. Flow-based has a much higher throughput rate, compared to proxybased, because it does not cache data so there is no transmission delay. DNS-based is very lightweight
because it handles only the nameserver lookup, but suffers from accuracy issues because it does not
see the full URL.
423
DO NOT REPRINT
FORTINET
Web Filtering
DNS web filtering looks at the nameserver response which typically occurs when you connect to a
website. Proxy and flow-based web filtering booth look for the HTTP 200 response returned when you
successfully access the website. Handling the response, as opposed to the DNS request or HTTP Get,
confirms the site is present.
424
DO NOT REPRINT
FORTINET
Web Filtering
Static URL filtering is enabled in the web filter profile. Entries in the URL filter list are checked against
the website that is visited. If a match is found, then the configured action is taken. If there is no match,
then the FortiGate will move on to the next check enabled.
Patterns set to the type Simple are exact text matches. Patterns set to the type Wildcard allow for
some flexibility in the text pattern by allowing wildcard characters and partial matching to occur. Patterns
set to the type Reg. Expression allows for the use of PCRE regular expressions to be used.
425
DO NOT REPRINT
FORTINET
Web Filtering
When a user visits a website, the FortiGate looks at the URL list for a matching entry. In this example,
the website matches the 3rd entry (using same list as the previous slide). This entry is a simple type, so
the match must be an exact one. There is no option for a partial match with a simple pattern. In this
case the action is to block the website so the user is presented with a block page, rather then the
website they were expecting to see.
426
DO NOT REPRINT
FORTINET
Web Filtering
Rather than block or allow websites individually like Static URL filtering, FortiGuard Category filtering
looks at the category that a website has been rated with. Action is taken based on that category, not the
URL itself.
FortiGuard Category filtering is a live service that requires a connection to the FortiGuard network and
active contract in order to operate. If the contract expires, there is a 7 day grace period to renew the
contract before services will be cut off. Rather then communicating to the FortiGuard network to receive
a websites category, larger FortiManager models can be used instead.
FortiGuard Category filtering and Static URL filtering have different lists of possible actions that can be
configured. The impact of selecting different actions will be covered later on.
427
DO NOT REPRINT
FORTINET
Web Filtering
When a user visits a web site, you can use the FortiGuard live service to find out the category for the
URL and allow or block access by category. This is a great way to perform bulk URL filtering without
having to individually define each web site.
After the 7 day grace period the FortiGate will not be able to rate websites and every visit will be treated
as a rating error. In the event of a rating error for a website there are only 2 options, block or allow.
428
DO NOT REPRINT
FORTINET
Web Filtering
FortiGuard category filtering is enabled in the GUI, through the Web Filter profile. Categories and subcategories are listed and can have the action to take defined individually. Actions are assigned through
right clicking the mouse and selecting from a menu.
If the feature is enabled and the unit does not have a valid contract then a warning will be displayed in
the GUI.
429
DO NOT REPRINT
FORTINET
Web Filtering
The FortiGate can maintain a list of recent web site rating responses in memory, so if the URL is one
that the device already knows about it will not have to send back a rating request. Two ports are
available for the unit to query FortiGuard with, port 53 and port 8888. Port 53 is the default since this is
also the port number used for DNS which is almost guaranteed to be open. However, any kind of
inspection will reveal that this traffic is not DNS and prevent the service from working. In this case, you
can switch to the alternate port 8888, but this port is not guaranteed to be open in all networks so you
will need to check this before setting this up. Port 80 is an option for FortiGuard communications, but
only if you are using a FortiManager, rather then the FortiGuard network.
430
DO NOT REPRINT
FORTINET
Web Filtering
Caching responses reduces the amount of time it takes to establish a rating for a website. Packets
operate on the scale of milliseconds at the fastest with Seconds, not being unusual. Memory checking is
orders of magnitude faster (nanoseconds).
This timeout defaults to 15 seconds but can be adjusted as high as 30 seconds if necessary.
431
DO NOT REPRINT
FORTINET
Web Filtering
Web site categories are determined by both automatic and human methods. The FortiGuard team has
automatic web crawlers that look at various aspects of the website in order to come up with a rating.
There are also people who examine websites and look into rating requests in order to determine
categories.
432
DO NOT REPRINT
FORTINET
Web Filtering
There is always the possibility for errors in rating, or a scenario where you simply do not agree with the
rating a site has been given. In this case, you can use the web portal to contact the FortiGuard filtering
team to submit a web site for a new rating, or to get it rated if it is not already in the database.
433
DO NOT REPRINT
FORTINET
Web Filtering
The Warning action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering.
When someone visits a website that is in a Category with an action of warning, they are presented with a
page that warns them they may not wish to visit this website. They are given a choice to go to the
website anyway, or go back to the previous website.
434
DO NOT REPRINT
FORTINET
Web Filtering
The Authenticate action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering.
The authentication action blocks all websites that are in that category, unless a successful passcode is
entered. This is not user authentication and putting in proper credential will not result in any kind of
login. The username/password pair is used in the same way a key is used to open a locked door.
Once this has been done successfully, access is allowed to that category for the amount of time that has
been configured. This will allow the user to visit any other websites that are in the same category for
however long has been configured. They will not be prompted again when visiting a second (or third)
website in the same category, so long as the timer has not expired.
435
DO NOT REPRINT
FORTINET
Web Filtering
The Exempt action is only an option when using Static URL filtering. It is not available with FortiGuard
category filtering.
The exempt action is used in order to bypass issues that may be caused by other checks. Sometimes
FortiGuard category filtering is not granular enough, sometimes a file you need is being caught by virus
scanning. Exempt gives the ability to bypass one or more checks or all further checks.
436
DO NOT REPRINT
FORTINET
Web Filtering
These actions are possible with FortiGuard Category filtering and Static URL filtering. Regardless of
which feature they are used with, the resulting action will be the same.
Allow Effectively defines the website as being trusted. Access to the site is permitted and no log
message is generated to record this.
Monitor Access to the website is permitted and a log message is generated to record the event
Block Prevents access to the website and displays a block page to the user instead.
Log message generation is subject to firewall policy, specifically the Logging Option setting.
437
DO NOT REPRINT
FORTINET
Web Filtering
When using FortiGuard category filtering, one option to allow or block access to a website is to make a
web rating override and define the website to be in a category other then what FortiGuard puts it into.
Web ratings are only for hostnames, no URLs or wildcard characters are allowed.
Category filtering is not granular, like static URL filtering. If you have a category that is blocked (or
allowed) and you need to make an exception for a particular website, this is one option that is available
to you.
If the contract expires, and the 7 day grace period passes, web rating overrides will be not be effective.
All website categories will be still be considered rating errors.
438
DO NOT REPRINT
FORTINET
Web Filtering
Since FortiGuard category filtering is not granular and performs actions based on the category the
websites are in there may be times when an exception needs to be made for a single website.
Rather then unblock a potentially unwanted category access can be provided an a site-by-site basis.
The reverse can also be true, with the majority of websites in a category being fine, but a single one
needs blocking.
Changing the category does not automatically result in a different action for the website. This will
depend on the settings within the Web Filter profile at the time the user is accessing that web site.
439
DO NOT REPRINT
FORTINET
Web Filtering
Custom categories can be created and used in conjunction with Web rating overrides. If the predefined
categories within FortiGuard are not suitable for the situation, additional customized categories can be
added.
These custom categories can be added and deleted as needed, so long as they are not in use. A
category is considered to be used if there are any Web rating overrides that have been configured to us
it. It will also be considered in use if there is an action associated with that category other then Allow in
any web filter profile.
440
DO NOT REPRINT
FORTINET
Web Filtering
FortiGuard quota can be used to limit the time users spend on web sites, based on the categorization.
Quota cannot redirect you once the web site is loaded in the browser. For example, if you had 45
seconds left on your quota and you visited a web site, it would likely finish loading before 45 seconds
was done. You could then spend 20 minutes browsing the information you received. You could not get
blocked or notified until the next attempt to access another one of these web sites. The reason for this is
that the connection to the web site is not generally a live stream. Once you receive the information, the
connection is closed.
441
DO NOT REPRINT
FORTINET
Web Filtering
Quotas are configured just below where you configure the Category actions in the Web filter profile.
There can be multiple quotas (timers) configured within this section. Each one can either be linked to a
single category, or multiple. If the Quota applies to multiple categories then it is not that amount for each
individual category, the timer applies to all of the categories that are specified.
442
DO NOT REPRINT
FORTINET
Web Filtering
Some Features on the FortiGate cant provide direct user feedback. FortiGuard quota wont provide any
feedback to the user until they exceed the quota they have been given, unless the Fortinet bar is
enabled.
The Fortinet Bar injects a Java applet which uses a communications port to talk to the FortiGate and get
additional information from features that would otherwise provide no direct user feedback.
FortiGuard quota provides a count down.
Other features that cant do block pages (IE: application control) will show block events in the top bar.
HTTPS pages are a lot more sensitive to injected data, so its not possible to reliably insert data, so the
Fortinet Bar is only available for HTTP websites.
443
DO NOT REPRINT
FORTINET
Web Filtering
Enforcing safe search can be done for Google, Bing and Yahoo. Safe search is an option that some
search engines have in order to apply their filters to the search results that are displayed. This way even
if Safe Search is disabled in the browser, the FortiGate will make sure the query is subject to whatever
settings the service decides. All the FortiGate can do is ensure that it is enabled. It cannot dictate the
behavior of this, as this task is up to the search engine providers. It works by looking for the Safe
Search string when you submit a search. If it is not there, the FortiGate unit will modify the request to
include it. This way, even if it is not enabled locally in the browser, it gets applied to the request as it
passes through the FortiGate.
YouTube EDU filtering is also available. This is a service offered by YouTube to educational institutions.
When you create an account with them they provide you with an identifier. Unlike normal Safe Search,
this does not append the URL, but adds an HTTP header into the packets. This identifies your school to
YouTube when people visit. Within your YouTube EDU account, you can configure the filters and
settings in order to limit video access.
444
DO NOT REPRINT
FORTINET
Web Filtering
There are several different components to web filtering, and when they are enabled, the inspection order
follows these steps.
The local static URL filter occurs first.
Second, FortiGuard category filtering determines a rating.
Finally advanced filters take place, like Safe search or removing Active X components.
After all the checks are done the information is handed off internally for virus scanning.
445
DO NOT REPRINT
FORTINET
Web Filtering
Heres a look at the web filter profile. Up at the top you can enable FortiGuard and assign the actions to
the various web site categories.
If you scroll down towards the bottom you will find the more advanced options that can be enabled, like
Safe Search and Static URL filtering. Once you have enabled and saved the settings you require, you
will need to apply the profile to your firewall policy to activate the options.
446
DO NOT REPRINT
FORTINET
Web Filtering
Web profile overrides change the rules that will be used to inspect traffic. Enabling them allows
authorized users to enter a passcode that will change the Web filter profile that inspects there traffic to
another profile. Proper configuration would mean this new profile had elevated access permissions and
allow additional websites. The new profile will be used to inspect ALL of their web traffic from that point
on, until the timer expires. Authentication must be enabled in order to use this. Once web profile
overrides are enabled, the FortiGuard block page will show an override link that users can select in order
to active this override.
447
DO NOT REPRINT
FORTINET
Web Filtering
How the FortiGate handles HTTPS traffic is decided based on the settings of the SSL Inspection profile
that is applied to the Firewall Policy. SSL Certificate Inspection reads only unencrypted data from the
hello message, whereas Full SSL Inspection will proxy SSL, allowing for full content inspection.
SSL and Certificates are covered in more detail in the Certificate Operations module.
448
DO NOT REPRINT
FORTINET
Web Filtering
This is an example of the log message generated as a result of applying a web filter profile on a firewall
policy. Access details include information about the FortiGuard quota and category (if those are
enabled), which web filter profile was used to inspect the traffic, the URL and more details about the
event.
449
DO NOT REPRINT
FORTINET
Web Filtering
You can also view the raw log data by selecting the Download Raw Log button at the top right of the
GUI. When the downloaded file is opened, it will be a plain text file in a syslog format.
450
DO NOT REPRINT
FORTINET
Web Filtering
List of IPs to use for FortiGuard comes back from update server (FortiGuard Distribution Network or
FortiManager).
Weight Based on the difference in timezone between the FortiGate and this server (modified by
traffic)
RTT Return Trip Time
Flags D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
TZ Server timezone
Curr Lost current number of consecutive lost packets (in a row, resets to 0 when 1 packet
succeeds)
Total Lost total number of lost packets
List is a variable length, depending on the FortiGuard Distribution Network, but approximately 10 total
IPs is the average.
451
DO NOT REPRINT
FORTINET
Web Filtering
Logs can be used to determine the decision made by the FortiGate but this depends on the configured
settings. The firewall policy may not be set to log or the action could be set to accept. In both of those
cases no log event will be generated to record the decision.
This diagnostic shows the full URL in the output. In order to have it fit some of the output was chopped
off from this page. The source of the request, the hostname, URL, user (if authentication is enabled), the
profile used to examine the URL can all be determined by reading the output.
452
DO NOT REPRINT
FORTINET
Web Filtering
453
DO NOT REPRINT
FORTINET
Application Control
In this lesson, you will learn about how to control network applications beyond simply
blocking or allowing a port number.
454
DO NOT REPRINT
FORTINET
Application Control
After completing this lesson, you should have these practical skills to apply application
control, keep it up-to-date, and monitor what applications are being used on your
network.
Lab exercises can help you to reinforce what youve learned.
455
DO NOT REPRINT
FORTINET
Application Control
Application control detects applications often, ones that waste bandwidth and
allows you to monitor and/or block the traffic. Like other UTM inspection, to use
application control, you must first set it up.
Unlike other forms of UTM, such as web filtering or antivirus, application control isnt
applied by a proxy. It uses IPSEngine. So it doesnt operate by built-in protocol states.
It matches patterns in the entire byte stream of the packet.
By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy
first parses HTTP and removes the protocol, and then scans only the payload inside.
Why does FortiGate use a flow-based scan for application control?
456
DO NOT REPRINT
FORTINET
Application Control
457
DO NOT REPRINT
FORTINET
Application Control
458
DO NOT REPRINT
FORTINET
Application Control
Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers.
Each peer delivers part of the file. Interestingly, where many clients is a disadvantage
for client-server architectures, it is an advantage for peer-to-peer: as the number of
peers increases to n, the file is delivered n times faster.
Because popularity increases the speed of delivery unlike traditional client-server
architecture, where popularity could effectively cause a denial of service attack on the
server some software, such as BitTorrent distributions of Linux, and games
distributing new patches, leverage this advantage. Even if each client has little
bandwidth, together, they can offer more bandwidth for the download than many
powerful servers.
Conversely, in order to download the file, this also means that the requesting peer can
consume much more bandwidth per second than it could from only a single server.
Even if there is only one peer on your network, it can consume unusually large
amounts. And because the protocols are usually evasive, and there will be many
sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest
Wi-Fi, where the inside peer doesnt have a static IP address or even predictable
physical location, it can be extremely difficult to find and stop.
459
DO NOT REPRINT
FORTINET
Application Control
So how does application control block these applications, and more? It scans packets
passing through the FortiGate, and looks for patterns.
A particular application, such as Google Talk, is identified by matching known patterns
to its transmission patterns. So obviously it can only be accurately identified if this
stream is unique somehow. Not every application behaves in a unique way. Many reuse pre-existing, standard protocols and communications methods. For example,
many video games such as World of Warcraft now use the BitTorrent protocol to
distribute game patches.
Application control only scans the network traffic. Application control doesnt scan
software installed on the client; this would require software to be installed on the
endpoint, such as a FortiScan agent. So it wont detect software until it starts and
connects to the network.
Application control does not use FortiGates proxies. So unlike some other UTM profiles, you cant
switch between proxy- and flow-based inspection.
460
DO NOT REPRINT
FORTINET
Application Control
Before you try to control applications, its important to understand how that works.
How does application control detect the newest applications, and changes to those application
protocols?
To do this, you can configure your FortiGate to automatically update its application control signature
database, in the same way that it polls FortiGuard for new IPS signatures.
The extended IPS signature package includes more application control signatures. So if you dont find
the ones you need initially, you can enable that option to download more.
461
DO NOT REPRINT
FORTINET
Application Control
To view the signatures that your FortiGate has downloaded, click the View Application
Signatures link in the application control profile.
Remember, if you did not enable download of the extended IPS database, FortiGuard
may have more signatures available that you do not see in the GUI. To see those, visit
the FortiGuard web site.
462
DO NOT REPRINT
FORTINET
Application Control
On the FortiGuard web site, you can read details about each signatures related
application. Lets look at an example.
This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in
the Collaboration category. The article mentions that Google Talk, like many instant
messengers now, uses the Jabber protocol. So if you block the application, the logs
may show the Jabber protocol, even though the application that the user has installed
is named Google Talk.
If there are any special requirements in order to scan or block the application, the
article provides some advice. But its always wise to search the Internet for more
information, and to make test policies and observe the behavior.
At the top of the page, youll also notice a risk rating
463
DO NOT REPRINT
FORTINET
Application Control
When building an application control signature, FortiGuards security research team evaluates the
application and assigns a risk level. It is based on the types of security risk. The rating is Fortinetspecific, and not related to CVSS or other external systems.
If you arent aware of specific software, this information can help you to decide if it would be wise to
block the software or not.
464
DO NOT REPRINT
FORTINET
Application Control
If there are new applications that you need to control, and the latest update doesnt
have any definitions for them, you can ask FortiGuard to add them.
Remember, though, that not all applications can be uniquely defined. That is to say,
there must be something about the traffic that can be used to differentiate it from other
similar traffic: traffic that occurs on the same port, or via the same protocol.
465
DO NOT REPRINT
FORTINET
Application Control
Once you have a signature, the next step is to define your settings to control it. Do this in an application
sensor.
Then, to apply your application control settings, select the profile in the firewall policy .
Like any other security profile, these settings are not global. FortiGate will only apply them to traffic
governed by the firewall policy where youve selected an application control profile. This allows granular
control.
466
DO NOT REPRINT
FORTINET
Application Control
Did you see these two at the end of the list of categories? They are catch-all
categories:
All Other Known Applications
All Other Unknown Applications
All Other Known Applications matches traffic that can be identified, but that, in the
profile, you did not explicitly enable. This is because some categories are only directly
configurable through the CLI: the ones that are in the extended IPS database.
All Other Unknown Applications matches traffic that could not be identified. Application
control will create a log entry that says the traffic is an Unknown Application.
Depending on:
how many rare applications your users have
which IPS database you are using (remember, the default IPS database can identify
fewer rare applications than the extended one)
this might cause many log entries. Frequent log entries decrease performance.
467
DO NOT REPRINT
FORTINET
Application Control
Once youve applied application control, FortiGate will start to scan packets for
matches. It will do this in a specific order.
There are two major sections to the application control profile:
Categories is at the top
Application Overrides below Categories
First, IPSEngine examines the traffic stream for a signature match. If youve configured
any overrides, application control considers those first. It looks for a matching override
starting at the top of the list, like firewall policies. If no matching override exists, then
application control applies the action that youve configured for applications in your
selected categories.
Multiple overrides for the same signature cannot be created.
468
DO NOT REPRINT
FORTINET
Application Control
Which is the correct action to select? It depends on the application. If an application requires feedback to
prevent instability or other unwanted behavior, then you might use Reset instead of Block. If you need
to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping
might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.
469
DO NOT REPRINT
FORTINET
Application Control
Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where
application control occurs.
Application control is later than many of FortiGates other scans and actions, such as for VPN ingress
and DoS.
But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never
does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from
IPSEngine, just like application control. But if you have configured application control to allow the traffic
not block it or reset the TCP connection then FortiGate will proceed to the next scans: email filtering,
web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.
470
DO NOT REPRINT
FORTINET
Application Control
Here is an example of how several UTM features could work together, overlap, or as substitutes, on the
same traffic.
In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For
those applications, FortiGate responds with application controls HTTP block message. (Its slightly
different than web filterings HTTP block message.) But at the bottom of this profile, there are some
exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube.
After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too,
could block Facebook and YouTube, but it would use its own message. Also, web filtering doesnt check
the list of application control overrides. So even if an application control override allows and rate
limits an app, web filtering could still block it.
Similarly, static URL filtering has its own Exempt action, which bypasses all subsequent security
checks. However, application control occurs before web filtering, so that web filtering exemption cant
bypass application control.
471
DO NOT REPRINT
FORTINET
Application Control
For HTTP-based applications, application control can provide some feedback to the user about why their
application was blocked. This is called a block page, and its similar to the one you can configure for
URLs that you block via FortiGuard Web Filtering.
The block page says:
which signature detected the application (in this case, HTTP.Browser_Firefox)
the signatures category (Web.Others)
the URL that was specifically blocked (in this case, the index page of msn.com), since a web page
can be assembled from multiple URLs
the clients source IP (10.0.1.10)
the servers destination IP (23.101.196.141)
user name (if authentication is enabled)
the UUID of the policy governing the traffic
and the FortiGates host name
The last two pieces of information can help you to find which FortiGate blocked the page, even if you
have a large network with many FortiGates securing different segments.
472
DO NOT REPRINT
FORTINET
Application Control
473
DO NOT REPRINT
FORTINET
Application Control
Lets say that you have enabled application control because users have been
complaining that the network is slow. During peak times, you notice that there is no
bandwidth remaining. Application control with the Monitor action selected showed
that many users were using YouTube, and it correlated to periods of bandwidth
saturation.
How could you solve this?
With web filtering, you can see that www.youtube.com is often accessed, but it doesnt
analyze the function of each URL. And it cant apply traffic shaping.
Alternatively, since YouTube generates large volumes of traffic, you could use
application control signatures with a traffic shaping action. Lets examine the details of
how that could work.
21
474
DO NOT REPRINT
FORTINET
Application Control
Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP
requests for:
the web page itself
Images
Scripts and style sheets
Video
and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves
doesnt use much bandwidth. Mostly, the culprit is the video.
But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically
generated alphanumeric strings:
traditional firewall policies cant block or throttle it by port number/protocol, which are all the same
web filtering cannot apply traffic shaping
With application control, you can rate limit only the videos. This prevents users from saturating your
network bandwidth while still allowing them to access the other content on the site, such as for
comments or sharing links.
475
DO NOT REPRINT
FORTINET
Application Control
At the bottom of the application sensor, there are more options that affect how application control
functions.
Deep Inspection of Cloud Applications does not enable SSL Inspection. Many applications are
switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection
profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you
havent enabled SSL/SSH inspection, then application control wont be able to recognize the application.
If you choose to enable Allow and Log DNS Traffic, be aware that you should only do it for short
periods, such as during an investigation. Leaving this option enabled for long periods can impact
performance and cause premature disk failure. One log is created per packet. So depending on the
application, and how often it queries DNS servers, this can use significant system resources.
Replacement Messages for HTTP-based Applications allows you to replace blocked content with an
explanation for the users benefit. Application control can also link into the Fortinet Bar, if that has been
enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP
connection.
476
DO NOT REPRINT
FORTINET
Application Control
If you have logging enabled, you can use it to discover which applications are being used on your
network, and details about them. Look in Log & Report > Security Log > Application Control.
In this example, application control detected a client attempting to access Facebook. The configured
action was to monitor the traffic. We know this because the Action indicates pass, so we know
FortiGate didnt block the traffic. But the action wasnt to simply allow the traffic without logging, either,
which we know because the log message exists.
To view details about the log message, click its entry. The application name is a link to the FortiGuard
encyclopedia web site. If you were unaware of the application, and dont know what type of risks it
presents, you could click the link to read more.
477
DO NOT REPRINT
FORTINET
Application Control
If you look in the forward traffic log, where firewall policies record activity, youll also find a summary of
traffic where FortiGate applied application control. Again, this is because application control is applied by
a firewall policy.
To find which policy applied application control, you can use either the Policy ID or the Policy UUID
fields of this log message.
478
DO NOT REPRINT
FORTINET
Application Control
479