Vous êtes sur la page 1sur 479

DO NOT REPRINT

FORTINET

FortiGate I
Student Guide
for FortiGate 5.2.1

DO NOT REPRINT
FORTINET
FortiGate I Student Guide
for FortiGate 5.2.1
Last Updated: 30 April 2015

Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or
company names may be trademarks of their respective owners. Copyright 2002 - 2015 Fortinet, Inc.
All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part
of this publication may be reproduced in any form or by any means or used to make any derivative
such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated
by the United States Copyright Act of 1976.

DO NOT REPRINT
FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................7
Topology..................................................................................................................................8
Logging In ...............................................................................................................................8
Disconnections/Timeouts .............................................................................................................................13

Transferring Files to the VM....................................................................................................13


Using HTML5 Instead of Java ................................................................................................13
Screen Resolution...................................................................................................................14
International Keyboards ..........................................................................................................14
Troubleshooting Tips ..............................................................................................................15

INTRODUCTION TO FORTINET UTM................................................................17


Lab 1: Initial Setup and Configuration.....................................................................................17
Objectives.....................................................................................................................................................17
Time to Complete .........................................................................................................................................17
Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate .......................18
Exercise 2 Exploring the Command Line Interface......................................................................................20
Exercise 3 Restoring a Configuration from Backup .....................................................................................22
Exercise 4 Making Configuration Backups ..................................................................................................24

Lab 2: Administrative Access..................................................................................................25


Objectives.....................................................................................................................................................25
Time to Complete .........................................................................................................................................25
Exercise 1 Administrators, Passwords, and Permissions ............................................................................26
Exercise 2 Restricting Administrator Access ...............................................................................................28

LOGGING & MONITORING..............................................................................29


Lab 1: Status Monitor and Event Log .....................................................................................29
Objectives.....................................................................................................................................................29
Time to Complete .........................................................................................................................................29
Exercise 1 Using the GUI's Status Monitor..................................................................................................30
Exercise 2 Event Log & Logging Options ....................................................................................................33

Lab 2: Remote Monitoring.......................................................................................................35

DO NOT REPRINT
FORTINET
Objectives.....................................................................................................................................................35
Time to Complete .........................................................................................................................................35
Exercise 1 Remote Logging & SNMP Monitoring ........................................................................................36

FIREWALL POLICIES .....................................................................................38


Lab 1: Firewall Policy ..............................................................................................................38
Objectives.....................................................................................................................................................38
Time to Complete .........................................................................................................................................38
Exercise 1 Creating Firewall Objects & Rules .............................................................................................39
Exercise 2 Policy Actions ............................................................................................................................41
Exercise 3 Access through Virtual IPs.........................................................................................................43
Exercise 4 Dynamic NAT with IP Pools .......................................................................................................46
Exercise 5 Device Identification...................................................................................................................48

FIREWALL AUTHENTICATION .........................................................................50


Lab 1: User Authentication......................................................................................................50
Objectives.....................................................................................................................................................50
Time to Complete .........................................................................................................................................50
Exercise 1 Authentication via a Firewall Policy............................................................................................51
Exercise 2 Captive Portals ..........................................................................................................................54

SSL VPN ....................................................................................................56


Lab 1: SSL VPN ......................................................................................................................56
Objectives.....................................................................................................................................................56
Time to Complete .........................................................................................................................................56
Exercise 1 SSL VPN for Web Access .........................................................................................................57
Exercise 2 Testing Authentication ...............................................................................................................59
Exercise 3 Accessing Resources Beyond Different Interfaces ....................................................................61

BASIC IPSEC VPN .......................................................................................62


Lab 1: IPsec VPN....................................................................................................................62
Objectives.....................................................................................................................................................62
Time to Complete .........................................................................................................................................62
Exercise 1 Site-to-Site IPsec VPN...............................................................................................................63

EXPLICIT WEB PROXY ..................................................................................66


Lab 1: Explicit Web Proxy .......................................................................................................66
Objectives.....................................................................................................................................................66
Time to Complete .........................................................................................................................................66
Exercise 1 Configuring the Explicit Web Proxy............................................................................................67
Exercise 2 Using a PAC File .......................................................................................................................70

DO NOT REPRINT
FORTINET
ANTIVIRUS ...................................................................................................73
Lab 1: Antivirus Scanning .......................................................................................................73
Objectives.....................................................................................................................................................73
Time to Complete .........................................................................................................................................73
Exercise 1 Antivirus & Block pages .............................................................................................................74
Exercise 2 Flow vs Proxy scanning .............................................................................................................76

WEB FILTERING ...........................................................................................77


Lab 1: Web Filtering ................................................................................................................77
Lab Objectives..............................................................................................................................................77
Time to Complete .........................................................................................................................................77
Exercise 1 FortiGuard Web Filtering ...........................................................................................................78
Exercise 2 Web Profile Overrides................................................................................................................81

APPLICATION CONTROL ...............................................................................82


Lab 1: Application Identification ..............................................................................................82
Objectives.....................................................................................................................................................82
Time to Complete .........................................................................................................................................82
Exercise 1 Creating an Application Control List...........................................................................................83
Exercise 2 Limiting YouTube Traffic ............................................................................................................84
Exercise 3 Fine Tuning Web Site Access....................................................................................................85

APPENDIX A: ADDITIONAL RESOURCES........................................................86


APPENDIX B: PRESENTATION SLIDES............................................................87
Module 1: Introduction to Fortinet Unified Threat Management.............................................88
Module 2: Logging and Monitoring .........................................................................................126
Module 3: Firewall Policies .....................................................................................................162
Module 4: Firewall Authentication...........................................................................................231
Module 5: SSL VPN ................................................................................................................273
Module 6: Basic IPsec VPN ....................................................................................................305
Module 7: Antivirus..................................................................................................................337
Module 8: Explicit Proxy..........................................................................................................369
Module 9: Web Filtering ..........................................................................................................407

DO NOT REPRINT
FORTINET
Module 10: Application Control...............................................................................................433

DO NOT REPRINT
FORTINET

Virtual Lab Basics Topology

Virtual Lab Basics


In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.

FortiGate I Student Guide

DO NOT REPRINT
FORTINET

Virtual Lab Basics Topology

Topology
port2
10.200.1.241
FortiManager

port1
10.0.1.241

WIN-LOCAL
10.0.1.10

FortiAnalyzer

port1
10.0.1.210
port3
10.200.1.210

10.0.1.254/24
port3

eth0

port2
10.200.2.1/24

LOCAL
port1
10.200.1.1/24

10.200.2.254
eth2

LINUX
10.200.1.254
eth1

eth4
10.200.4.254

eth3
10.200.3.254

10.200.4.1/24
port5

REMOTE
10.200.3.1/24
port4

WIN-REMOTE
10.0.2.10

port6
10.0.2.254/24

Logging In
1. Run the System Checker. This will fully verify both:

compatibility with the virtual lab environment's software, and


that your computer can connect

It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
Use the URL for your location.
North America/South America:
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West

FortiGate I Student Guide

DO NOT REPRINT
FORTINET

Virtual Lab Basics Logging In

Europe/Middle East/Africa:
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
Asia/Pacific:
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If a security confirmation dialog appears, click Run.

If your computer successfully connects to the virtual lab, the result messages for the browser and
network checks will each display a check mark icon. Continue to the next step.
If a browser test fails, this will affect your ability to access the virtual lab environment. If a network
test fails, this will affect the usability of the virtual lab environment. For solutions, either click the
Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab. Either:

FortiGate I Student Guide

DO NOT REPRINT
FORTINET

Virtual Lab Basics Logging In

https://remotelabs.training.fortinet.com/

https://virtual.mclabs.com/

3. If prompted, select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.
4. Click Enter Lab.

A list of virtual machines that exist in your virtual lab should appear.

FortiGate I Student Guide

10

DO NOT REPRINT
FORTINET

Virtual Lab Basics Logging In

From this page, you can access the console of any of your virtual devices by either:

clicking on the devices square, or


selecting System > Open.

FortiGate I Student Guide

11

DO NOT REPRINT
FORTINET

Virtual Lab Basics Logging In

5. Click K2-Win-Student to open a connection to that server.

A new window should open within a few seconds. (Depending on your accounts preferences, the
window may be a Java applet. If this fails, you may need change browser settings to allow Java to
run on this web site. You also may need to review and accept an SSL certificate.)

Depending on the virtual machine, the applet provides access to either the GUI or a text-based
CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will
connect to this VM.

FortiGate I Student Guide

12

DO NOT REPRINT
FORTINET

Virtual Lab Basics Transferring Files to the VM

Disconnections/Timeouts
If your computers connection with the virtual machine times out or if you are accidentally disconnected,
to regain access, return to the initial window/tab that contains your sessions list of VMs and open the
VM again.
If your session frequently times out or does not connect, ask your instructor.

Transferring Files to the VM


When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to
the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM,
you could create it on your computer, then drag it into the Java application window that is connected to
the Windows VM. Usually the destination folder is C:\Uploads.
Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the web
browser to download them to your VM instead.

Using HTML5 Instead of Java


When you open a VM, your browser may download and use a Java application to connect to the
virtual labs VM. This means that Java must be installed, updated, and enabled in your browser.
Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client. Click
Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.)

FortiGate I Student Guide

13

DO NOT REPRINT
FORTINET

Virtual Lab Basics Screen Resolution

When connecting to a VM, your browser should then open a display in a new window or tab.

Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the Java client, to configure the screen resolution, click the arrow at the top of the window.

In the HTML 5 client, to configure screen resolution, open the System menu.

International Keyboards
If characters in your language dont display correctly, keyboard mappings may not be correct.

FortiGate I Student Guide

14

DO NOT REPRINT
FORTINET

Virtual Lab Basics Troubleshooting Tips

To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either
display an on-screen keyboard, or send text from your computer to the VM's clipboard.

To solve this in the Java client, copy and paste between your computer and the Java applet. This
sends special characters or combinations using the keyboard icon at the top of the applet window.

Troubleshooting Tips

If the HTML 5 client does not work, try the Java client instead. Remembering this preference
requires that your browser allow cookies.

Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable
broadband connection such as a LAN.

Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On
Windows, if the Java applet is allowed and successfully downloads, but does not appear to
launch, you can open the Java console while troubleshooting. To do this, open the Control
Panel, click Java, and change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.

FortiGate I Student Guide

15

DO NOT REPRINT
FORTINET

Virtual Lab Basics Troubleshooting Tips

Prepare your computer's settings:


o

Disable screen savers

Change the power saving scheme so that your computer is always on, and does not go to
sleep or hibernate

If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.

If during the labs, particularly when reloading configuration files, you see a message similar to the
one shown below, the VM is waiting for a response to the authentication server.

To retry immediately, go to the console and enter the CLI command:


exec update-now

FortiGate I Student Guide

16

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

Introduction to Fortinet UTM


Lab 1: Initial Setup and Configuration
This lab will provide an initial orientation to FortiGate's administrative GUI and CLI, and (if necessary)
will guide you through basic setup. Additionally, this lab will guide you through how to properly backup
and restore a configuration file.
If you see this:

it indicates that FortiGate VM is waiting for a response from the license authentication server. Typically
this happens after reboot, after you upload a new FortiGate configuration file. If that server was
rebooting or connectivity was interrupted, for example, at the same time that FortiGate VM was
rebooting and sending the request, then the server may not have received the request. FortiGate VM
will periodically retry, but you can manually initiate an immediate retry. To force an immediate license
authentication retry, go to FortiGate's CLI and enter:
execute update-now

Objectives

Configure FortiGate network interfaces and a default route for administrative access via your
lab network, such as with web browser, Telnet or SSH client

Distinguish between encrypted vs. non-encrypted configuration backups

Back up and restore configuration files

Find the FortiGate model and FortiOS firmware build information inside a configuration file

Time to Complete
Estimated: 15 minutes

FortiGate I Student Guide

17

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

Exercise 1 (Optional) Configuring Network Interfaces on the Student &


Remote FortiGate
Before proceeding, please ask your instructor if these steps are required for your specific classroom.
You must do this exercise only if your lab environment was initialized with blank FortiGate images.
1. Open the console of the FortiGate that is named Student.
2. At the login prompt, enter the username admin (all lower case). Leave the password blank.
3. To be able to access the Student FortiGate's GUI, you must first configure the port3 interface.
Assign its IP address, and specifically allow HTTP connections to the GUI:
conf system interface
edit port3
set ip 10.0.1.254/24
set allowaccess http
end
After you enter the "end" command, FortiGate saves its running configuration in RAM, and also
saves it to the flash disk.
HTTPS or SSH are recommended for administrative access to FortiGate because those protocols
provide authentication and encryption. Other available protocols include SSH, PING, SNMP,
HTTP and Telnet.
4. Verify that you've entered your configuration correctly by entering this command:
show system interface
Alternatively, you can enter a shorter form:
show sys int
5. On the Windows server, open Firefox. Go to the URL that is the FortiGate's IP address on port3:
http://10.0.1.254
6. If a security warning appears, accept the FortiGates self-signed certificate.
The login page should appear. If it does not, ask your instructor before continuing.
Note: To access the FortiGate GUI, your web browser must support cookies and
JavaScript. These are required for correct behavior and display.
7. Open the console of the FortiGate that is named Remote.
8. At the login prompt, enter the username admin (all lower case). Leave the password blank.
9. Enter the following CLI commands to set the port4 IP address and access control settings for
your device.
conf system interface

FortiGate I Student Guide

18

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

edit port4
set ip 10.200.3.1/24
set allowaccess http ping
end
10. Verify that a valid default gateway route exists:
show router static
If there is no static route for port4, enter the commands below to set it. (Routing will be explained
in more detail in a later lesson.)
conf route static
edit 0
set device port4
set gateway 10.200.3.254
end
11. Verify that you have entered your configuration correctly.
show system interface
show router static
You can't connect to the Remote FortiGate's GUI yet. Before you can do that, you must first
configure the FortiGate named Student with a route and a firewall policy that allows and routes
that management traffic to the FortiGate named Remote. You will add this configuration in a later
lab exercise.

FortiGate I Student Guide

19

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

Exercise 2 Exploring the Command Line Interface


1. Open the console of the FortiGate that is named Student.
2. At the login prompt, enter the username admin (all lower case). Leave the password blank.
3. Enter the command to display basic status information about that FortiGate:
get system status
Output shows the FortiGate's serial number, firmware version, operation mode, and other
information.
4. Verify that the firmware version is the correct one for this class.
5. Enter the following, then press the Return key:
get ?
Note: The ? character is not displayed on the screen.

This shows all words that the CLI will accept next after the get command. When the --More
prompt appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key
to scroll one line at a time, or press the Q key to exit.
Depending on the command, you may need to enter additional words to completely specify a
configuration object.
6. Press the up arrow key. This displays the previous get system status command. Try some
of the other control key sequences that are summarized below.
Previous command

up arrow, or CTRL+P

Next command

down arrow, or CTRL+N

Beginning of line

CTRL+A

End of line

CTRL+E

Back one word

CTRL+B

Forward one word

CTRL+F

Delete current character

CTRL+D

Clear screen

CTRL+L

Abort command and exit

CTRL+C

CTRL+C is context sensitive, but usually, it aborts the current command. If you were in a subcommand, it returns you to the parent command. Otherwise, it will terminate your current
administrative session. To continue, you must log in again.
7. Enter the command:
execute ?
This lists all words that the CLI will accept next after the execute command.

FortiGate I Student Guide

20

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

8. Type:
execute
then press the Tab key 3 times.
The first time you press the Tab key, notice that the CLI adds the next word in the command. It is
the first word in the list from the previous step. Each time that you press the Tab key after that,
notice that the CLI replaces that word with the next possible word in the list, in alphabetical order,
until you press the spacebar key. This indicates that you have selected that word, and are ready to
enter the next word (if any).
9. Enter the following CLI commands.
config ?
show ?
Compare the list of valid next words for each one. Notice that there are some differences in the
CLI structure for each command, including show full-configuration.
config enters settings. show displays configuration differences from the firmwares default
settings only, unless you enter show full-configuration.
10. Enter the CLI commands to display the FortiGates port3 interface configuration. Compare the
output for each.
Only the characters shown in bold typeface must be typed. If you want to auto-complete each
word in the command (in order to verify that it is unambiguous, for example), press the Tab key
after the characters in bold.
show system interface port3
show full-configuration system interface port3
Tip: Almost all commands can be abbreviated. In presentations and labs, many of the
commands that you see will be in abbreviated form.
Use this technique to reduce the number of keystrokes that are required to enter a
command. In this way, experts can often configure a FortiGate faster via CLI than GUI.
If there are other commands that start with the same characters, your abbreviation must
be long enough to be specific, so that FortiGate can distinguish them. Otherwise, the CLI
will display an error message about ambiguous commands.

FortiGate I Student Guide

21

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

Exercise 3 Restoring a Configuration from Backup


1. On the Win-Student server, open Firefox. Connect to the Student FortiGate's GUI, and log in as
admin.
http://10.0.1.254/
Note: All the lab exercises were fully tested running Mozilla Firefox in Win-Student and
Win-Remote servers. For this reason, and to get consistent results, we recommend it
as the browser to access the Internet and the FortiGate GUIs from this virtual
environment.
2. Go to System > Dashboard > Status. In the System Information row, click the Restore link.
A dialog should appear where you can select which configuration backup file to restore.
(If your lab started with blank FortiGate images whose IP address you needed to configure in
Exercise 1, then this FortiGate is not yet configured with the host name STUDENT as shown in
the image. This should appear after you upload a configuration in the next step.)

3. Click the button that enables you to select which backup file to restore. (The name of this button
varies by browser.)

Select the file named Resources\Introduction\student-initial.conf, then click Restore. This file is
the prerequisite configuration for the next lab.
After your browser uploads the configuration, the FortiGate will automatically reboot. The
length of the restoration process varies by how complex the configuration is. More complex
FortiGate I Student Guide

22

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

configurations take more time to parse and validate. Most configurations take FortiGate less than
1 minute to validate and then reboot.
4. Refresh the web page and log in again to the GUI on the Student FortiGate.
Go to System > Network > Interface and then Router > Static > Static Route. Verify that the
network interface settings and default route were restored.
5. Go to System > Network > DNS Server. Review the student and remote DNS zones.

In the Student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for
the student FortiGate device (10.0.1.254) and the Windows server (10.0.1.10).

In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for
the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).

By providing a DNS server to your management network, FortiGate enables you access these
devices in your lab by using a domain name instead of their IP address. To do this, the Windows
server should be configured to use the Student FortiGate's port3 IP address as its DNS server.
6. On the Windows server, open a command prompt. Use the following commands to verify the DNS
lookup results.
nslookup server.student.lab 10.0.1.254
nslookup fgt.student.lab 10.0.1.254
nslookup pc.remote.lab 10.0.1.254
nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are:
nslookup [-option] [hostname] [server]
7. Open a web browser. Go to these URLs to verify that you can use domain names to reach the
GUI of both the Student and Remote FortiGate:

http://fgt.student.lab

http://fgt.remote.lab

FortiGate I Student Guide

23

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

Exercise 4 Making Configuration Backups


1. On the Win-Student server, open a browser and log in to the Student FortiGate's GUI:
https://fgt.student.lab
2. Go to System > Dashboard > Status. In the System Information widget, click the Backup link.

3. Select Encrypt configuration file, enter the password fortinet, then click the Backup button to
save the encrypted configuration file to the desktop with the filename student-initial-enc.conf.
(You may need to modify the web browsers settings to prompt you for the location to save files.
For Firefox, go to Tools > Options > General then select Always ask me where to save files.)
Caution: Always back up the configuration file before changing your device (even if the
change seems minor or unimportant). There is no undo. Restoring a backup will allow you to
quickly revert changes if you discover problems.
To distinguish between files from multiple FortiGates, use a naming convention such as their
host names.
4. In the System Information widget, click Restore. Select the file that you downloaded in the
previous step (student-initial-enc.conf), then click the Restore button.
Notice that this time, you must enter the password fortinet because this file is passwordencrypted.
5. Using Notepad or Notepad++, open the file student-initial.conf. In another instance of
WordPad, open the file student-initial-enc.conf and compare the details in both.
Note: In both the normal and encrypted configuration the top of the file acts as a
header, describing the firmware and model information this configuration
belongs to.

FortiGate I Student Guide

24

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 2: Administrative Access

Lab 2: Administrative Access


In this lab, you will create and modify administrative access permissions.

Objectives

Create a new administrative user

Restrict administrative access

Time to Complete
Estimated: 10 minutes

FortiGate I Student Guide

25

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 2: Administrative Access

Exercise 1 Administrators, Passwords, and Permissions


1. On the Win-Student server, open a browser and log in to the Student FortiGate's GUI:
https://fgt.student.lab
2. Go to System > Admin > Settings and select Enable Password Policy.
Configure these settings:
Minimum Length:

Must Contain:

Enable
1 Upper Case Letter
1 Numerical Digit

Enable Password Expiration:

Enable
90 days

Click Apply to save the changes.


3. Log out of the GUI.
4. Log in again.
Due to the password policy that you just configured, FortiGate should prompt you to enter a new
administrator password. Enter a new password that meets the requirements.
5. Go to System > Admin > Admin Profile. Create a new profile called Security_Admin_Profile. Set
Security Profile Configuration to Read-Write, but set all other permissions to Read Only.
Click OK to save the changes.
6. Go to System > Admin > Administrators. Click Create New to add a new administrator account
that is named Security_Admin.
In Admin Profile, select the profile created in the previous step. This limits that administrators
access. They will only able to modify and create security profiles.
Note: Administrator names and passwords are case-sensitive. You cannot include
characters such as < > ( ) # " in an administrator account name or password. Spaces are
allowed, but not as the first or last character. To enter spaces in a name or password via
the CLI, you must enclose each in straight quotes ( ' ).
Caution: For convenience in the lab, you will not set the password of the account named
admin. However, in real networks, you should always set administrator passwords, make
them strong, and change them often.
Click OK to save the changes.
7. Go to System > Dashboard > Status. In the System Information widget, to view the
configuration for administrator accounts and profiles, enter:
show system admin
show system accprofile
FortiGate I Student Guide

26

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 2: Administrative Access

8. Log out of the admin account's GUI session.


9. Log in as Security_Admin with its password.
10. Test this administrators access: try to create or modify settings on the Student FortiGate that are
not allowed by that account's profile.
You should see that this account can only configure security profiles.

FortiGate I Student Guide

27

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM Lab 2: Administrative Access

Exercise 2 Restricting Administrator Access


1. On the Win-Student server, open a browser and go to the Remote FortiGate's GUI:
http://fgt.remote.lab
Log in as the admin account (all lower case) with no password.
2. Go to System > Admin > Administrators. Edit the admin account and enable the setting Restrict
this Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24.
Click OK to save the changes.
3. Try connecting to the GUI of the Remote FortiGate again. What is the result this time?
Because you are connecting from the 10.200.1.1 address (because of NAT on the Student
FortiGate) you should notice that you can't connect any more since you restricted logins to specific
source IP addresses in Trusted Hosts.
4. Attempt to ping 10.200.3.1. You should notice that FortiGate also doesn't respond to ping
anymore. This is also blocked by the restriction on source IP.
5. Open the console of the Remote FortiGate device. Enter the following CLI commands to add
10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account:
conf sys admin
edit admin
set trusthost2 10.200.0.0/16
end
6. Try to ping the Remote FortiGate and access its GUI again. Access should be restored.
7. Go to System > Dashboard > Status. In the System Information widget, in the Current
Administrator row, click the Details link.
The GUI should display a list of administrators currently logged in to the FortiGate.
8. By default, each source IP address can attempt to log in up to 3 times. If they fail 3 times, they are
locked out for 60 seconds.
To help improve the overall password security, use the CLI to decrease the maximum number of
attempts and increase the lockout timer:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 100
end

FortiGate I Student Guide

28

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 1: Status Monitor and Event Log

Logging & Monitoring


Lab 1: Status Monitor and Event Log
In this lab, you will work with FortiGate's event log and monitoring.

Objectives

Enable logging of system events

Locate event logs for specific information

Time to Complete
Estimated: 10 minutes

FortiGate I Student Guide

29

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 1: Status Monitor and Event Log

Exercise 1 Using the GUI's Status Monitor


1. On the Windows server, open a web browser. Go to the URL that is port3's IP address on the
FortiGate named Student, and log in as admin.
http://10.0.1.254/
2. Go to System > Dashboard > Status and locate the System Resources widget.
This widget provides a snapshot overview of the overall resource utilization on the FortiGate
3. Some widgets are not displayed on the dashboard by default. Click Widget to display the list of
widgets available to add to the dashboard.

If not already added, click the All Session widget from the pop-up window to add it to the
dashboard.
Close the widget list window. Widgets can be removed from the page simply by click the X in the
upper left corner of each one.
4. Hover the mouse over the title bar of the System Resources widget and click Edit to create a
custom widget.

Configure these settings:


Custom Widget Name:

System Resource History

View Type:

Historical

Time Period:

Last 60 minutes

FortiGate I Student Guide

30

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 1: Status Monitor and Event Log

A line chart appears in a new custom System Resource History widget showing a trace of CPU,
memory and sessions over the past hour.
The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.
5. The Alert Message Console widget displays recent system events, such as system restart and
firmware upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to view
the entire message list.

Note: If there are no alerts you can reboot the FortiGate in order to see
one. To do so, connect to the CLI and use the command exe reboot
6. At the top of the dashboard, click Dashboard and select Add Dashboard.

Enter any name of your choice for the new dashboard and select the single column display.

FortiGate I Student Guide

31

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 1: Status Monitor and Event Log

The new dashboard will show up as a selectable menu option on the right hand side

7. Next add the All Sessions widget on your new dashboard. Click the edit icon in the title bar of the
All Sessions widget and observe the different ways in which sessions can be reported. For
example, by top Destination Address, top Applications etc. You can also select to display the top
sessions by Source and Destination interfaces. Create your own customized Top Sessions widget
and examine the sessions that are listed.
Some widgets are only allowed to appear on 1 dashboard at a time. For example, System
Information cannot be added to this new dashboard until the widget is removed from the Status
dashboard.
8. Test the functionality of the refresh, page forward, and page back icons in this window. You may
need to generate some additional traffic in order to properly test these functions.
9. Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.

FortiGate I Student Guide

32

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 1: Status Monitor and Event Log

Exercise 2 Event Log & Logging Options


1. From the Student FortiGate CLI, check the overall status of the FortiGate:
get system status
2. Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as
Need Format, enter the following command to format the drive.
execute formatlogdisk
When prompted to continue, type y and wait for the system to reboot.
Once the system has restarted, check the log disk settings by executing the following command:
config log disk setting
get
You should observe that the status is enabled.
3. Repeat the previous steps on the Remote FortiGate device.
4. Return to the Student FortiGate device and log out of the GUI. When logging back in, use an
incorrect password once and then use the correct password to log back in again.
Go to Log & Report > Event Log > System and examine the log to find the invalid password event.
5. Go to Policy & Objects > Objects > Address, and create a new firewall address using the following
settings:
Name:

fortinet

Type:

FQDN

FQDN:

www.fortinet.com

Leave the remaining settings at their defaults and click OK to save the changes.
6. Next go to Log & Report > Event Log > System and review the log entries.
7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.

FortiGate I Student Guide

33

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 1: Status Monitor and Event Log

Click Apply to save the changes.


Different types of log entries fall into different categories. Only enable logging for the activity(s)
that you need to monitor. This avoids filling the logs with information you do not need, and
consuming unnecessary system resources.
8. Go to Policy & Objects > Objects > Address and create another firewall address entry. Go to Log
& Report > Event Log > System and review the log entries again.
Note that the entries are no longer visible for this activity. With this option deselected in the Event
Logging settings, you will no longer see entries in the log for administrators logging on/off or
making changes to the units configuration. Other types of log entries will still appear.
9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.
When changes are made to your firewall, it best to have a log event for that in case it is necessary
to find out when something was changed, and by whom.

FortiGate I Student Guide

34

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 2: Remote Monitoring

Lab 2: Remote Monitoring


The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate
units behavior. It can be advantageous to use remote monitoring instead of local monitoring in order
to reduce resource usage. For example, while the GUI widgets provide useful displays of your system
information, they also carry a significant resource cost and should be used sparingly.

Objectives

Enabling monitoring by Syslog and SNMP servers

Time to Complete
Estimated: 10 minutes

FortiGate I Student Guide

35

DO NOT REPRINT
FORTINET

Logging & Monitoring Lab 2: Remote Monitoring

Exercise 1 Remote Logging & SNMP Monitoring


The Linux server in your lab environment has been pre-configured to accept syslog messages.
1. From the CLI on the Student FortiGate, enter the following commands to set up logging to the
syslog server:
conf log syslogd setting
set status enable
set facility local6
set server 10.200.1.254
end
2. Repeat the above step from the CLI on the remote FortiGate device.
3. On the Win-Student server, open the putty.exe application. Open an SSH session to the Linux
server (10.200.1.254).

Log in as root and with the password password.


4. Run the following command to monitor the FortiGate syslog messages which are mapped to
their own file by the local6 facility.
tail f /var/log/fortinet
5. Leave the SSH window open and return to the student FortiGate device and generate some
log entries:
FortiGate I Student Guide

36

DO NOT REPRINT
FORTINET

Attempt to log in with invalid credentials

Make a minor configuration change

Logging & Monitoring Lab 2: Remote Monitoring

6. From the GUI on the Student FortiGate, go System > Config > SNMP to enable SNMP monitoring.
Select Enable for the SNMP Agent at the top, then click Apply.

7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password
to fortinet. Set the Notification host to 10.200.1.254.

Click OK.
8. Go to System > Network > Interfaces and edit port1. Confirm that SNMP is enabled under the
Administrative Access settings. If it is not enabled you will need to enable it first, then click OK to
save the changes.
9. Leave the SSH window open that is currently running the tail command and run putty again to
open a new SSH connection to the LINUX host (10.200.1.254).
Next, execute the following snmpwalk command to find and display all of the monitoring options
that a device presents through SNMP:
snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1
A tree listing of all the options available to monitor this FortiGate VM device will be displayed.
To make it easier to view the information available, you may also append >snmp.test to the
command entered above. This will save the output to a file named snmp.test. Enter the
command view snmp.test to view the output file.

FortiGate I Student Guide

37

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

Firewall Policies
Lab 1: Firewall Policy
Objectives

Configure firewall policies configurable in FortiOS

Configure source match options available in FortiOS firewall policies

Apply different firewall object types of Address, Service and Schedule

Configure firewall policy logging options

Configure NAT

Configure Source NAT settings using Overload IP Pools

Configure Destination NAT settings using Virtual IPs

Configure firewall policies based on device types

Reorder firewall policies

Use CLI commands to review your configuration and perform status checks

Time to Complete
Estimated: 40 minutes

FortiGate I Student Guide

38

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

Exercise 1 Creating Firewall Objects & Rules


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Firewall-Policies\Student\student-policy.conf
FortiGate will reboot.
3. From the GUI on the Student FortiGate device, go to Policy & Objects > Objects > Addresses and
create the following address object:
Name:

STUDENT_INTERNAL

Type:

Subnet

Subnet/IP Range:

10.0.1.0/24

Interface:

Any

Once the settings have been entered, click OK to save the changes.
4. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To do
this, go to Policy & Objects > Policy > IPv4, right-click the unrestricted port3port1 policy and
select Status > Disable.
5. Next click Create New to add a new firewall policy to provide general Internet access from the
internal network. Configure these settings:
Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port1

Destination Address:

all

Schedule:

always

Service:

HTTP, HTTPS, DNS, ALL_ICMP, SSH


(Hold down the CTRL-key to select multiple services.)

Action:

ACCEPT

Enable NAT:

Enabled

Use Destination Interface Address:

Enabled

Log Options:

Enable Log all Sessions and select Generate Logs


when Session Starts

Comments:

General Internet access

When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, you
only need to create one firewall policy that matches the direction of the traffic that initiates the
session.
Once the policy settings have been entered, click OK to save the changes.
FortiGate I Student Guide

39

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

6. On the Windows server, open a web browser and connect to various external web sites.
7. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic
and identify the log entries for your Internet browsing traffic.
With the current settings you should have many 0 byte log messages with action start. These are
the session start logs.
When sessions close you will have a separate log entry for the amount of data sent and received
Logging session starts generates twice the amount of log messages. This option should only be
used when this level of detail is absolutely necessary.
8. From the CLI, enter the following command to see the source NAT action.
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3600

10.0.1.10:3677

10.0.1.254:22

tcp

3587

10.0.1.10:3717

10.200.1.1:64133 72.30.38.140:80

tcp

3570

10.0.1.10:3681

10.200.1.1:64097 69.171.228.70:80 -

tcp

3577

10.0.1.10:3710

10.200.1.1:64126 74.125.228.92:80 -

tcp

3587

10.0.1.10:3708

10.200.1.1:64124 74.125.228.92:80 -

tcp

3587

10.0.1.10:3706

10.200.1.1:64122 66.94.245.1:80

tcp

2274

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

tcp

3587

10.0.1.10:3712

10.200.1.1:64128 80.239.217.66:80 -

tcp

3566

10.0.1.10:3679

10.200.1.1:64095 74.125.227.24:80 -

Note that FortiGate is applying a new source address: that of the destination interface port1
(10.200.1.1).

FortiGate I Student Guide

40

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

Exercise 2 Policy Actions


1. Use the same steps you performed earlier to create a second firewall policy. Use Create New and
leave the policy in its default position. Configure these settings:
Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port1

Destination Address:

Click Create and configure the following:


Name: LINUX_ETH1
Type: Subnet
Subnet / IP Range: 10.200.1.254/32
Click OK.

Schedule:

always

Service:

PING (Tip: type the name in the search box)

Action:

DENY

Log Violation Traffic:

Enabled

Click OK to save the changes.


2. From the Windows server, open a command prompt. Ping the port1 gateway.
ping t 10.200.1.254
If you have not changed the rule ordering, the ping should still work because it matches the
ACCEPT policy and not the DENY policy that you just created. This demonstrates the behavior of
policy ordering. The second policy was never checked because the traffic matched the first policy.
Leave this window open and perform the next step.
3. Click the Seq.# for the DENY policy created previously and drag it up to position it before the
General Internet Access policy.
4. Return to the Windows server and examine the DOS command prompt window still running the
continuous ping. You should observe that this traffic is now blocked and the replies appear as
Request timed out. Enter CTRL-C to end the ping command.
5. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic
and identify the log entries for your Ping traffic.
With the current settings you should have one entry for the Ping traffic which was allowed
followed by many 0 byte log messages for the violation traffic.
6. To stop your logs from filling up with 0 byte log messages, you may enable the following setting
from the CLI to create a session table entry for denied traffic and blocking packets belonging to
this session.
config system settings
set ses-denied-traffic enable
end
FortiGate I Student Guide

41

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

This setting will reduce the amount of logging entries caused by the violation traffic. Notice how
the time between log entries increases.

FortiGate I Student Guide

42

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

Exercise 3 Access through Virtual IPs


In this lab, you will configure a virtual IP address to allow Internet connections to the Windows server
located at 10.0.1.10.
1. Go to Policy & Objects > Objects > Virtual IPs. Click Create New to add a new virtual IP mapping:
Name:

VIP_INTERNAL_HOST

External Interface:

port1

Type:

Static NAT

External IP Address/Range:

10.200.1.200 - 10.200.1.200

Mapped IP Address/Range:

10.0.1.10

Click OK to save the changes.


2. Create a new firewall policy to provide access to the web server. Configure these settings:
Incoming Interface:

port1

Source Address:

all

Outgoing Interface:

port3

Destination Address:

VIP_INTERNAL_HOST

Schedule:

always

Service:

HTTP, HTTPS

Action:

ACCEPT

Log Options:

Enable Log all Sessions and select Generate Logs


when Session Starts

Enable NAT:

Disabled (default)

Comments:

Public access to web server

Click OK to save the changes.


3. The firewall is stateful so any existing sessions will not use this new firewall policy until they time
out or are cleared. The sessions can be cleared individually from the session widget on the Status
page or from the CLI by executing the following:
diag sys session clear
4. Connect to the console of the remote host, open a web browser and access the following URL:
http://10.200.1.200
If the virtual IP operation is successful a simple web page appears.

FortiGate I Student Guide

43

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

5. From the CLI on the Student FortiGate, check the destination NAT entries in the session table:
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT
tcp

3537

10.200.3.1:62426

SOURCE-NAT

DESTINATION

10.200.1.200:80

10.0.1.10:80

6. On the Windows server, open a web browser and connect to a few external web sites. Now
examine the session information again as follows:
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3591

10.0.1.10:3995

10.200.1.200:3995 66.94.241.1:80

tcp

3590

10.0.1.10:3977

10.200.1.200:3977 72.30.38.140:80

tcp

3553

10.0.1.10:3965

10.200.1.200:3965 184.150.187.83:80 -

tcp

3592

10.0.1.10:3998

10.200.1.200:3998 74.125.228.92:80 -

tcp

3584

10.0.1.10:3969

10.200.1.200:3969 69.171.237.16:80 -

tcp

3596

10.0.1.10:4001

10.200.1.200:4001 208.91.113.80:80 -

tcp
-

3590

10.0.1.10:3983

10.200.1.200:3983 216.115.100.102:80

tcp
-

3590

10.0.1.10:3979

10.200.1.200:3979 216.115.100.103:80

tcp
-

3590

10.0.1.10:3987

10.200.1.200:3987 216.115.100.102:80

tcp
3590
10.0.1.10:3981
216.115.100.103:80 -

10.200.1.200:3981

tcp
3590
10.0.1.10:3985
216.115.100.102:80 -

10.200.1.200:3985

tcp

1013

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

tcp
-

3589

10.0.1.10:3976

10.200.1.200:3976 72.30.38.140:80

FortiGate I Student Guide

44

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

tcp

3591

10.0.1.10:3996

10.200.1.200:3996 184.150.187.99:80 -

tcp

3554

10.0.1.10:3967

10.200.1.200:3967 74.125.228.65:80 -

tcp
-

3590

10.0.1.10:3990

10.200.1.200:3990 216.115.100.103:80

tcp
-

3591

10.0.1.10:3978

10.200.1.200:3978 216.115.100.103:80

tcp
-

3590

10.0.1.10:3980

10.200.1.200:3980 216.115.100.103:80

Note that the outgoing connections from the Windows server are now being NATed with the VIP
address as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP.
That is, when you enable SNAT on a policy, a VIP static NAT takes priority over the destination
interface IP address.

FortiGate I Student Guide

45

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

Exercise 4 Dynamic NAT with IP Pools


Currently, the Student FortiGate translates the source IP address of all traffic generated from the
Windows server 10.200.1.200 because of the source NAT translation in the VIP.
Now you will apply an IP address pool to change the behavior from static NAT to dynamic NAT.
1. On the Student FortiGate's GUI, go to Policy & Objects > Objects > IP Pools. Create a new IP
pool:
Name:

INTERNAL_HOST_EXT_IP

Type

Overload

External IP Range/Subnet:

10.200.1.100

Once the policy settings have been entered click OK to save the changes.
2. Go to Policy & Objects > Policy > IPv4, and right-click the outgoing General Internet Access
policy. Select Copy Policy, then right-click the same policy again and select Paste > Above.
3. Select the new copy of the General Internet Access policy and configure these settings:
Incoming Interface:

port3

Source Address:

STUDENT

Outgoing Interface:

port1

Destination Address:

all

Schedule:

always

Service:

ALL

Action:

ACCEPT

Log Options:

Enable Log all Sessions and select Generate Logs


when Session Starts

Enable NAT:

Enabled

Use Dynamic IP Pool:

INTERNAL_HOST_EXT_IP

Comments:

Windows Server source NAT override

Click OK to save the changes. Verify that you have enabled it.
4. FortiGate does stateful inspection, so any existing sessions will not use this new firewall policy
until they time out or you manually clear the session table. You can do this either individually from
the session widget on the dashboard, or clear the entire list from the CLI:
diag sys session filter src 10.0.1.10
diag sys session clear
5. Connect to a few web sites such as http://yahoo.com/. From the CLI on the Student FortiGate,
verify the source NAT IP address that those sessions are using:
# get system session list

FortiGate I Student Guide

46

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

Sample Output:
STUDENT # get system session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp
-

3599

10.0.1.10:3963

10.200.1.100:64379 74.125.225.126:443

tcp
-

3599

10.0.1.10:3961

10.200.1.100:64377 74.125.225.111:443

tcp

3552

10.0.1.10:3953

10.200.1.100:64369 76.74.133.167:80 -

tcp
-

3597

10.0.1.10:3956

10.200.1.100:64372 74.125.225.118:80

tcp
-

3597

10.0.1.10:3954

10.200.1.100:64370 74.125.225.117:80

tcp

3598

10.0.1.10:3959

10.200.1.100:64375 199.7.57.72:80

tcp

16

10.0.1.10:3948

10.200.1.100:64364 66.36.238.121:22 -

tcp
-

3598

10.0.1.10:3958

10.200.1.100:64374 209.85.225.84:443

tcp
-

3599

10.0.1.10:3962

10.200.1.100:64378 74.125.225.99:443

tcp
-

10.0.1.10:3960

10.200.1.100:64376 98.139.200.238:80

tcp
-

3597

10.0.1.10:3955

10.200.1.100:64371 74.125.225.118:80

Notice that the source NAT address is now 10.200.1.100 as configured in the VIP pool, and the IP
pool has overridden the static NAT VIP.

FortiGate I Student Guide

47

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

Exercise 5 Device Identification


1. Disable all outgoing policies except for the General Internet Access policy.
2. From the Windows server, run a continuous ping to 10.200.1.254.
3. Edit the outgoing general Internet access policy. Select Source Device Type and choose a type
that will not match your Windows server, such as Linux PC. Click OK.
FortiGate will notify you that this action enables device identification on the source interface. Click
OK to accept this change.
Return to the continuous ping. You should observer this traffic is blocked. Try browsing the
Internet and confirm the firewall blocks this traffic.
4. Go to your Forward Traffic log. You should observer that there are no logging entries. This is
because the traffic matches the implicit deny policy and logging is not enabled by default.
Edit the implicit deny policy and enable log violation traffic. Return to the Forward Traffic log and
confirm there are logging entries for the denied traffic.
5. Edit the outgoing general Internet access policy and change the Source Device Type to Windows
PC to match your Windows server host.
Return to the continuous ping, started earlier. You should observer this traffic is allowed. Try
browsing the Internet and confirm that the firewall allows this traffic.
6. Go to User & Device > Device > Device Definition and review the details of your detected host
device.
This is a dynamic device list. FortiGate may update its list of devices and cache them to the flash
disk to speed up detection.
diag user device list
7. Clear the device from the CLI and then verify that it's removed:
diag user device clear
diag user device list
8. From the Windows server, visit a few web sites. This will generate traffic so that device
identification can detect the host. Usually, it will use the HTTP User-Agent: header.
9. Display the device list again, and look for the internal host.
diag user device list
10. Perform a show from the CLI to confirm there are no devices in the configuration file.
show user device
11. From the GUI, go to User & Device > Device > Device Definition. Edit your device from the
device list. Add an alias called myDevice. This creates a static device in the configuration file.
Click OK to save the change.
Perform the following show command to confirm that the device now appears in the
configuration file as a permanent device.
show user device
FortiGate I Student Guide

48

DO NOT REPRINT
FORTINET

Firewall Policies Lab 1: Firewall Policy

12. Go to User & Device > Device > Device Group. Note that your device is already a member of
several predefined device groups.
Click Create New and add a new device group called myDevGroup.
Add myDevice to the Members list and click OK.
Note that your device is still a member of the predefined groups and is now a member of the
custom group myDevGroup.
13. Return to the outgoing general internet access policy and configure it to use your permanent
device or static device group. Check that your traffic is unaffected by this change.

FortiGate I Student Guide

49

DO NOT REPRINT
FORTINET

Firewall Authentication Lab 1: User Authentication

Firewall Authentication
Lab 1: User Authentication
In this lab, you will learn how to authenticate users with FortiGate.

Objectives

Create an authentication policy

Manage user authentication

Track user login events

Monitor active users

Enable the captive portal

Exempt some users from the captive portal

Time to Complete
Estimated: 20 minutes

FortiGate I Student Guide

50

DO NOT REPRINT
FORTINET

Firewall Authentication Lab 1: User Authentication

Exercise 1 Authentication via a Firewall Policy


1. On the Win-Student computer, open the Windows CLI and type the following command
Use_External_DNS
You should see output similar to the following image.

2. Open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin.
http://10.0.1.254/
3. Restore the configuration file that is required by this lab:
Resources\Firewall-Authentication\Student\student-auth.conf
FortiGate will reboot.
4. Log in again. Review the user configuration for this lab.
Go to User & Device > User > User Definition to review the local user settings
Go to User & Device > User Group > User to review the user group configuration.
Note: You should find that there is 1 user, 1 group and 2 firewall policies. The
second firewall policy is disabled. Do not change either of the firewall policies
at this time.
5. Go to the System > Network > DNS Server and delete the entry for port3.
6. Confirm that the user is properly configured by using the CLI command
diag test auth local training Student F0rtinet
The command should return a successful result if the proper configuration has been loaded.
Note: The second character in Fortinet (the password) is a zero 0, and not a
letter.
Note: Both the username and password are always case sensitive, on a
FortiGate.
7. On the Win-Student server, open a web browser and connect to a new web site.
You should observe that the website does not display and you receive a timeout.
8. Open a command prompt and try to ping a website by its domain name. For example:

FortiGate I Student Guide

51

DO NOT REPRINT
FORTINET

Firewall Authentication Lab 1: User Authentication

http://www.hotmail.com/
You should find that the computer is unable to resolve the hostname to an IP address.
9. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4 and review the outgoing
port3 port1 firewall policy with authentication configured.
Add DNS as an allowed service and apply the change to that policy.
Go back to the windows command prompt and attempt to ping by name again. Now the behavior
is that the hostname can be resolved but the ping still times out because the policy does not allow
ICMP.
Note: FortiGate allows DNS to pass through the policy even though
authentication has not succeeded yet.
10. On the Win-Student server, open a web browser. Connect to a new web site.
At the login prompt, enter the following credentials:
Username:

Student

Password:

F0rtinet

You should observe that after successful authentication, FortiGate redirects your browser to the
web site that you requested.
11. On the Student FortiGate, go to User & Device > Monitor > Firewall to view the details of the
authenticated user along with some details about their IP address, how much traffic they have
sent, what method of authentication was used and so on.
If you right-click the columns at the top, you can find more information that can be added to the
display.
12. Go to System > Network > DNS Server. Add a new DNS service entry for port3 that is set to
Forward to System DNS.
13. On the Win-Student computer, open the Windows CLI and type the following command
Use_Internal_DNS
You should see output similar to this:

14.From the CLI, view the IP addresses and users which have successfully authenticated to the
FortiGate unit with the following command:
diag firewall auth list
Clear all authenticated sessions with the following command:
diag firewall auth clear
FortiGate I Student Guide

52

DO NOT REPRINT
FORTINET

Firewall Authentication Lab 1: User Authentication

Caution: Be careful when using this command on a FortiGate in a real


network. It will clear all authenticated users.

FortiGate I Student Guide

53

DO NOT REPRINT
FORTINET

Firewall Authentication Lab 1: User Authentication

Exercise 2 Captive Portals

Note: Verify that you are not authenticated through the FortiGate before you begin.
Use either the User Monitor in the GUI or the CLI command from the previous exercise
in order to de-authenticate.
1. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4.
Edit the second policy (which does not have authentication enabled and is slightly greyed out
currently) and enable it.
You can go into the policy select Enable this policy at the bottom and then apply the change, or
right click the Seq # and select Enable.
2. On the Windows desktop, open a web browser and connect to a new web site
You should observe that, unlike before, FortiGate doesn't ask you to authenticate. However, you
can still access the website even though the first policy has authentication enabled.
This illustrates the behavior of authentication and how it interacts with the Firewall policies. The
source for the first policy is your IP AND all users in the training group. You have not
authenticated yet, so your traffic does not match the source for that policy. The second policy will
match all IPs and has no authentication options enabled, so it matches your traffic and allows the
connection through.
Since FortiGate found a policy match with just the source IP, it does not force a login.
3. On the Student FortiGate's GUI, go to System > Network > Interfaces and edit the port 3 interface.
Set the Security Mode to Captive Portal and click OK to save the change
4. Open a web browser and connect to a new web site
FortiGate should prompt you to log in. Use the same credentials as the previous exercise.
Note: If you are not prompted to login, refer to step 1

5. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the first firewall policy.
Change the source to STUDENT_FALSE and the group to training.

Note: STUDNT_FALSE has the IP 10.0.1.100 so it does not match the IP of


the Win-Student computer.
6. On the Student FortiGate's GUI, go to User & Device > Monitor > Firewall. De-authenticate
your user session.
FortiGate I Student Guide

54

DO NOT REPRINT
FORTINET

Firewall Authentication Lab 1: User Authentication

7. Open a web browser and connect to a new web site.


FortiGate should not prompt you to login, but show a disclaimer instead.
Look at the firewall policies in the CLI. You should find that the second policy with the captive
portal is suppressed.
config firewall policy
show
end
This means that even though port3 has captive portal enabled for all traffic that is behind it, any
traffic that matches the second firewall policy will not receive the captive portal to authenticate.

FortiGate I Student Guide

55

DO NOT REPRINT
FORTINET

SSL VPN Lab 1: SSL VPN

SSL VPN
Lab 1: SSL VPN
In this lab, you will manage user groups and portals for the SSL VPN.

Objectives

Configure and connect to an SSL VPN

Enable authentication security

Configure a firewall policies for access to private network resources

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide

56

DO NOT REPRINT
FORTINET

SSL VPN Lab 1: SSL VPN

Exercise 1 SSL VPN for Web Access


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\SSL-VPN\Student\student-ssl.conf.
FortiGate will reboot.
3. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy
& Objects > Policy > IPv4 and examine the ssl.rootport1 firewall policy.
4. Edit this policy to view its components. Configure these settings:
Incoming Interface:

ssl.root

Source Address:

all

Source User(s):

Training_One

Outgoing Interface:

Port1

5. Under VPN > SSL > Settings, review the authentication rules at the bottom. This allows all users
that authorized to login, access to the web-acess portal.

6. To observe the effect of this policy you will now access the SSL VPN. On the Win-Remote
computer, open a web browser and access the SSL VPN by browsing to:
https://10.200.1.1/
Accept the security warnings for the self-signed certificate and log in using the following
credentials:
Username:

Student

Password:

F0rtinet

You should notice that you are successfully able to log in, but the web portal is currently in
default settings. You will now configure the web-access portal which is selected in the SSL
VPN policy.
7. Log out and return to the Win-Student computer.
8. In the GUI of the Student FortiGate, go to VPN > SSL > Portals and select web-access and
Edit to modify the settings for this portal. Create the following bookmarks for the internal server.
First Bookmark:

FortiGate I Student Guide

57

DO NOT REPRINT
FORTINET

SSL VPN Lab 1: SSL VPN

Category:

Test

Name:

Linux Website

Type:

HTTP/HTTPS

URL:

10.200.1.254

Click OK.
Second Bookmark:
Category:

Test

Name:

Student Computer Website

Type:

RDP

Host:

10.0.1.10

Click OK.
Click OK at the bottom of the page to save the bookmarks on this portal.
9. Test the SSL VPN access again from the Win-Remote computer by browsing to:
https://10.200.1.1
You should now observe that you have two bookmarks listed.
10. Select the Linux Website bookmark and examine the items listed below to understand how the
web access functions.
Note: Do not use the Student computer website yet. It will be tested in the next exercise.
Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.200.1.254/
The first part of the address is the encrypted link to the FortiGate SSL VPN gateway:
https://10.200.1.1/
The second part of the address is the instruction to use the SSL VPN HTTP proxy:
.../proxy/http...
The final part of the address is the destination of the connection from the HTTP proxy:
.../ 10.200.1.254/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to
the final destination from the HTTP proxy is in clear text.
11. Return to the Win-Student computer and from the GUI on the Student FortiGate, go to VPN >
Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection.
Note the User, Source IP and Begin Time.
Log the user out by selecting their name and clicking Delete.

FortiGate I Student Guide

58

DO NOT REPRINT
FORTINET

SSL VPN Lab 1: SSL VPN

Exercise 2 Testing Authentication


1. On the Win-Remote computer, open a web browser. Start the SSL VPN by going to:
https://10.200.1.1
When prompted, log in to the SSL VPN using the following credentials:
Username:

Student2

Password:

F0rtinet

You should receive a permission denied failure message.


2. Go to the CLI of the Student FortiGate. Locally test user authentication.
diag test auth local Training_Two Student2 F0rtinet
This user should successfully authenticate.
Together with the behavior you observed in the previous step, this means that while FortiGate can
confirm the user and group information, that user is not authorized to login to the SSL VPN portal.
3. To allow those users to login, go to the firewall policies. Edit the ssl.rootport1 policy by adding
Training_Two as an additional source user group.

4. To observe the effect of these changes, access the SSL VPN again. Login with both the Student
and Student2 users.
What do you see when you login? You should see the same portal as in the previous exercise.
Why?
The portal mapping rules have all users accessing the web-access portal.
5. Under VPN > SSL > Settings create a new mapping for a user group and portal:
Users/Group:

Training_Two

Portal

full-access

After adding the mapping rule, click OK to go back to the settings page, then click APPLY to
save the changes.

FortiGate I Student Guide

59

DO NOT REPRINT
FORTINET

SSL VPN Lab 1: SSL VPN

Note: If you click OK but do not click APPLY, then FortiGate will not save the changes
you make to the portal mapping rules.
6. Logout out of the SSL VPN portal (if you havent already) and login again. Be sure to use the
Student2 user credentials from step 1.
You should now observe that the portal established is the full-access portal, which has different
widgets and options enabled then the web-access portal.

FortiGate I Student Guide

60

DO NOT REPRINT
FORTINET

SSL VPN Lab 1: SSL VPN

Exercise 3 Accessing Resources Beyond Different Interfaces


1. Log out of the SSL VPN portal (if you havent already) and login again. Be sure to use the Student
user credentials.
2. Now click the Student Computer Website bookmark, created back in exercise 1.
FortiGate should display an access error. Why?
All traffic generated by users of the SSL VPN on this FortiGate will originate from the ssl.root
interface. This includes both Web and Tunnel mode traffic. The host IP, 10.0.1.10, is behind port3
and there is no firewall policy that allows traffic ssl.rootport3.
3. Next go to Policy & Objects > Policy > IPv4 and create a firewall policy with the following settings:
Incoming Interface:

ssl.root

Source Address:

all

Source User(s):

Training_One,Training_Two

Outgoing Interface:

port3

Destination Address

STUDENT_INTERNAL

Schedule

always

Service

ALL

Action

Accept

4. Go back to the SSL VPN portal and select the Student Computer Website again.
FortiGate should now allow the web site to display because traffic is now allowed to pass from
ssl.root to port3.
5. Log out of the SSL VPN portal.
6. In your browser enter the IP 10.0.1.10
The browser's connection will timeout because there is no access to the Win-Student computer
from the Win-Remote computer.
7. Log back into the SSL VPN portal as student2.
Once the login has finished, activate the SSL VPN Tunnel
Note: To do this, you must install the SSL VPN adapter.

8. In your browser, go to:


http://10.0.1.10/
The website should display properly this time. FortiGate is now sending traffic across the SSL
VPN tunnel, rather than sending it to the default gateway.

FortiGate I Student Guide

61

DO NOT REPRINT
FORTINET

Basic IPsec VPN Lab 1: IPsec VPN

Basic IPsec VPN


Lab 1: IPsec VPN
In this lab, you will configure an IPsec VPN on the FortiGate using both interface-based and policybased modes.

Objectives

Demonstrate the differences between interface and policy-based VPNs

Explain IPsec VPN configuration options

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide

62

DO NOT REPRINT
FORTINET

Basic IPsec VPN Lab 1: IPsec VPN

Exercise 1 Site-to-Site IPsec VPN


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Basic-IPsec-VPN\Student\student-ipsec.conf.
The Student FortiGate will reboot.
3. Go to the GUI for the FortiGate named Remote, and log in as admin.
http://10.200.3.1/
4. Restore the configuration file that is required by this lab:
Resources\Basic-IPsec-VPN\Remote\remote-ipsec.conf.
The Remote FortiGate will reboot.
5. When the Student FortiGate has rebooted, on the Windows server, open a command prompt. Run
a continuous ping to the Win-Remote computer:
ping -t 10.0.2.10
6. From the GUI on the Student FortiGate, go to VPN > Monitor > IPsec Monitor and examine the
tunnel status.
You should observe a tunnel named remote with the destination 10.200.3.1 and the status is
currently up. This is the tunnel that the Student FortiGate established with the Remote FortiGate.
7. Review the firewall policy port3 remote. View the Count column so that you can see the
packets and bytes per policy.
Observe that the counter is incrementing for the port3remote policy.
What is the interface remote?
Go to System > Network > Interface and note the blue arrow head associated with port1. If you
expand this you will be able to see the remote interface and the type for this interface which is set
to Tunnel Interface.
8. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and
Phase 2 IKE objects.
Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec
Interface Mode is selected.
You can also view this from the CLI:
conf vpn ipsec phase1-interface
show
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy.
How is the traffic getting to this policy?
Traffic arrives at the FortiGate on the ingress interface. For new connections, FortiGate
performs a routing lookup to select the egress interface and gateway, and then there is a
lookup in the firewall policy to find a matching rule. Egress is determined by the routing table
FortiGate I Student Guide

63

DO NOT REPRINT
FORTINET

Basic IPsec VPN Lab 1: IPsec VPN

lookup, and therefore FortiGate selects the remote interface. A route is driving the traffic to the
IPsec interface.
9. Go to Router > Monitor and view the current routing table. You will observe a static route to the
destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy-based VPN
which we will review next.
Usually, route-based VPNs are preferred, but there are a few exceptions where you would need to
use a policy-based VPN. These will be discussed later.
10. Open a web browser on the Windows server. Connect to the GUI on the Remote FortiGate device.
11. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate
device. You should observe a tunnel named student with the destination 10.200.1.1 and the
Status is up.
This is the tunnel that this FortiGate established with the Student FortiGate.
12. Go to System > Network > Interface. Notice there is no tunnel sub-interface for port4.
13. Go to Route > Monitor and view the current routing table. Notice that there is no specific route for
10.0.2.0/24; there is only a default route.
How is the traffic entering the tunnel then?
14. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy
from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24
(STUDENT INTERNAL) with action IPsec.
Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to
allow traffic inbound as well as outbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate, a static route was sending traffic to the IPsec virtual interface. Here
there is no static route. Instead, the policy setting is sending traffic to the VPN.
The IPsec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel
student.
15. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPsec
configuration. Note the Phase 1 and Phase 2 IKE objects.
You can also view these settings from the CLI:
conf vpn ipsec phase1-interface
conf vpn ipsec phase2-interface
16. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that
IPsec Interface Mode is not selected.
The Phase1 IKE object is the IPsec tunnel referenced in the IPsec firewall policy. Here we are
using policy-based on the Remote FortiGate device and interface-based on the Student
FortiGate device. The type we use is of local significance therefore we can mix them, as is the
case in this example.
17. From the remote Windows desktop, attempt to run a continuous ping to: 10.0.1.10.
You should observe this ping fails. Can you identify why?

FortiGate I Student Guide

64

DO NOT REPRINT
FORTINET

Basic IPsec VPN Lab 1: IPsec VPN

If the VPN is in tunnel mode, then FortiGate uses only 1 firewall policy to allow both incoming and
outgoing traffic. But if the policy is in interface mode, then you must have 2 separate VPN firewall
policies: one to allow inbound, and one to allow outbound communication.
On the Student FortiGate, we have only configured the outgoing policy. The VPN is in interface
mode. So FortiGate drops the new incoming connection: there is no firewall policy to allow it.
18. Return to the Student FortiGate. Add the missing firewall policy.
You should observe that the ping now succeeds.

FortiGate I Student Guide

65

DO NOT REPRINT
FORTINET

Explicit Web Proxy Lab 1: Explicit Web Proxy

Explicit Web Proxy


Lab 1: Explicit Web Proxy
In this lab, you will learn how to configure FortiGate to be an explicit web proxy.

Objectives

Configure a FortiGate as an explicit web proxy

Use a PAC file to configure the Internet browser to use the web proxy

Exempt some servers from the proxy

Display the list of current web proxy users

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide

66

DO NOT REPRINT
FORTINET

Explicit Web Proxy Lab 1: Explicit Web Proxy

Exercise 1 Configuring the Explicit Web Proxy


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Explicit-Web-Proxy\Student\student-wp.conf
3. Go to System > Dashboard > Status. In the Features widget, enable Explicit Proxy. Click Apply.
4. Go to System > Network > Explicit Proxy and enable HTTP / HTTPS web proxy.
5. Go to System > Network > Interfaces and edit port3. Enable the option Enable Explicit Web Proxy.
Click OK.
6. Go to Policy & Objects > Policy > Explicit Proxy. Click Create New. Add this explicit proxy policy:
Explicit Proxy Type

Web

Source Address

STUDENT_INTERNAL

Outgoing Interface

port1

Destination Address

all

Action

AUTHENTICATE

Add this authentication rule:


Source User(s)

Student

Schedule

always

Click OK to save it.


7. Open Mozilla Firefox. Click the Open menu icon on the top right corner. Select Options:

8. Go to the Advanced > Network tab and click Settings:

FortiGate I Student Guide

67

DO NOT REPRINT
FORTINET

Explicit Web Proxy Lab 1: Explicit Web Proxy

9. Select manual proxy configuration and enter:


HTTP Proxy

10.0.1.254

Port

8080

Enable the option Use this proxy server for all protocols.
Additionally, add the subnet 10.0.1.0/24 to the No Proxy for list. This list contains the names, IP
addresses and subnet of web sites that will be exempted from using the proxy:

Click OK.

FortiGate I Student Guide

68

DO NOT REPRINT
FORTINET

Explicit Web Proxy Lab 1: Explicit Web Proxy

10. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials:
User Name

Student

Password

F0rtinet

After that, you should have Internet access through the explicit web proxy.
Note: The second character in Fortinet (the password) is a zero 0, and not a letter.
Both the username and password are always case sensitive.
11. While browsing different web sites, type the following CLI command to check the list of active web
proxy users:
# diagnose wad user list
You can also check this list from the GUI, by going to User & Device > Monitor > Firewall.
12. Type these CLI commands to list some web proxy sessions:
diagnose sys session filter clear
diagnose sys session filter dport 8080
diagnose sys session list
You can also use the grep command to display only the source and destination IP addresses and
ports for each session:
diagnose sys session list | grep hook=pre
Why is the source IP address of all those sessions 10.0.1.10?
Why is the destination IP address of all those sessions 10.0.1.254?
Why dont we see any public IP address listed in those sessions?
13. While browsing a HTTP site, type these other commands to list another set of proxy sessions:
diagnose sys session filter clear
diagnose sys session filter dport 80
diagnose sys session list | grep hook=out
Why is the source IP address of all these sessions 10.200.1.1?
Why dont we see the IP address of Windows server (10.0.1.10)?
Tip: In the case of explicit web proxy, for each connection to a web site, two sessions are
created with the FortiGate: one from the client to the proxy, and another one from the
proxy to the server.

FortiGate I Student Guide

69

DO NOT REPRINT
FORTINET

Explicit Web Proxy Lab 1: Explicit Web Proxy

Exercise 2 Using a PAC File


1. Log in to the Student FortiGate's GUI.
2. Go to System > Network > Explicit Proxy. Enable the option PAC, then click the pencil icon to edit
the PAC file:

Select the file proxy.pac in the folder Resources\Explicit-Web-Proxy. Click Import, then Apply.
3. Click the pencil icon again to look at the imported PAC file:

Click Apply to save all the changes in the explicit proxy configuration.
Note: The second line in the PAC file specifies that the browser will not use a proxy to
reach the servers in the subnet 10.0.0.0/8. The next line configures the browser to use
the FortiGate proxy for any other subnet or URL.
FortiGate I Student Guide

70

DO NOT REPRINT
FORTINET

Explicit Web Proxy Lab 1: Explicit Web Proxy

4. Open Mozilla Firefox options again. Select the Advanced > Network tab and click Settings.
Select the option Automatic proxy configuration URL then type:
http://10.0.1.254:8080/proxy.pac

Click OK.
5. Close Firefox and open it again. Try to browse any web site in the Internet. The traffic will go
through the FortiGate proxy. If FortiGate asks you to authenticate, use the same Student account.
6. Connect now a web site in the network 10.0.0.0/8. The browser will not use the proxy and will
send the HTTP request directly to the server. Try with this server:
http://10.200.1.254
It is not working. There is something missing in the FortiGate configuration. Do you know what it
is?
7. Go to Policy & Objects > Policy > IPv4 add the following firewall policy:
Incoming Interface

port3

Source Address

STUDENT_INTERNAL

Outgoing Interface

port1

Destination Address

All

Schedule

Always

Service

ALL

Action

ACCEPT

NAT

Enabled

FortiGate I Student Guide

71

DO NOT REPRINT
FORTINET

Explicit Web Proxy Lab 1: Explicit Web Proxy

8. Try to access http://10.200.1.254 one more time. It should work now.


9. To finish the lab exercise, disable the proxy in Mozilla. Go to Options one more time, select
Advanced > Network, click Settings, and select No proxy.

Click OK to save the change.

FortiGate I Student Guide

72

DO NOT REPRINT
FORTINET

Antivirus Lab 1: Antivirus Scanning

Antivirus
Lab 1: Antivirus Scanning
In this lab, you will work with both flow-based and proxy-based antivirus scanning.

Objectives

Configure flow-based and proxy-based antivirus scanning

Understand FortiGate antivirus scanning behavior

Scan multiple protocols

Insert replacement messages in multiple protocols

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide

73

DO NOT REPRINT
FORTINET

Antivirus Lab 1: Antivirus Scanning

Exercise 1 Antivirus & Block pages


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Antivirus\Student\student-av.conf
FortiGate will reboot.
3. When the FortiGate has rebooted, go to Policy& Objects > Policy > IPv4 and edit the port3port1
policy.
You will notice that an antivirus profile is in place, as well as a Protocol Options and SSL/SSH
Profile. Those last 2 profiles cannot be disabled, only changed.
4. Examine the antivirus profile that has been enabled on the firewall policy (default). This profile
defines the behavior for virus scanning on the traffic that matches policies using that profile.
5. Verify that the inspection mode is Proxy, to block viruses, and that HTTP protocol pickup is
enabled.
6. Now examine the proxy options profiles enabled on the firewall policy (default). This profile
determines how FortiGates proxies identify protocols. Ensure that HTTP is set to port 80
7. Finally, examine the SSL/SSH profile enabled on the firewall policy (default). This profile
determines how encrypted traffic, like HTTPS will be handled.
8. Configure the profile to inspect certificate details.
9. Go to System > Config > Replacement Message. From the top right-hand corner select Extended
View and under Security modify the Virus Block Page.
The HTML editor that is displayed allows you to see the changes as you are making them. If you
do not want to use the standard block pages, you can modify them.
Click Save shown above the editor window to apply any changes.
10. From the virtual WIN-Student host, launch a web browser and access the following web site:
http://eicar.org
11. On the EICAR web page, click Download ANTI MALWARE TESTFILE (located in the top righthand corner of the page) and then click the Download link that appears on the left.
Download the any of the EICAR sample files from the section Download area using the standard
HTTP protocol.
FortiGate should block the download attempt, and instead insert a replacement message
similar to the following (should also include any customization you made earlier):

FortiGate I Student Guide

74

DO NOT REPRINT
FORTINET

Antivirus Lab 1: Antivirus Scanning

The EICAR file is an industry-standard used to test antivirus detection with an undamaging test
file. The file contains the following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
12. FortiGate shows the HTTP virus message when it blocks or quarantines infected files. In the
message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information
about the detected virus.
13. From the GUI on Student FortiGate, go to Log & Report > Traffic Log > Forward Traffic and locate
the antivirus event messages.
In order to view summary information of the antivirus activity, add the Advanced Threat Protection
Statistics widget to the dashboard.
14. On the EICAR web page, click Download ANTI MALWARE TESTFILE and then click the
Download link that appears on the left. This time, select the eicar.com file from the Download area
using the secure SSL enabled protocol HTTPS section.
Your download should succeed. FortiGate should not block the file, because we have not enabled
full SSL inspection.
15. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy &
Objects > Policy > SSL/SSH Inspection, edit the default profile, set the Inspection Mode to Full
SSL Inspection and make sure that HTTPS is enabled and set to port 443.
Click Apply.
16. To ensure that there are no existing sessions prior to deep scanning the communication
exchange, connect to the CLI of the Student FortiGate and enter the following command:
diag sys session filter dport 443
diag sys session clear
This will clear out all the HTTPS(port 443) sessions on the firewall, in case the webserver did not
properly close down the communications.
17. Return to the EICAR web page and attempt to download the eicar.com file from the Download
area using the secure SSL enabled protocol HTTPS section.
This time, FortiGate should block the download and replace it with a message. If it doesn't, you
may need to clear your cache. In Firefox, select History > Clear Recent History > Everything.
18. In order to see the block page you will need to allow the certificate warning. Encrypted
protocols are designed to prevent eavesdropping.

FortiGate I Student Guide

75

DO NOT REPRINT
FORTINET

Antivirus Lab 1: Antivirus Scanning

Exercise 2 Flow vs Proxy scanning


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Edit the default Antivirus profile, and set the inspection mode to Flow,
3. On the Win-Student computer, open the FileZilla FTP client software.
4. Connect to 10.200.1.254. Leave the username and password blank to use anonymous FTP.
5. On the Remote side, open the pub folder and download the file named eicar.com.
The client should display an error message that the server aborted the connection.

6. On the GUI of the Student FortiGate, locate the logs for the detection of this file.
With Flow based virus scanning, data from the file has already been sent to the client so no
immediate block message/page may be possible, depending on the protocol being scanned.

FortiGate I Student Guide

76

DO NOT REPRINT
FORTINET

Web Filtering Lab 1: Web Filtering

Web Filtering
Lab 1: Web Filtering
In this lab, you will configure web filtering to block specific categories of content. The interaction of
local categories and overrides will also be demonstrated.

Lab Objectives

Enable and use web filtering on a FortiGate device

Troubleshoot and configure FortiGuard Category filtering

Read and interpret web filter log entries

Work with proxy and flow-based web filtering

Monitor blocked categories

Work with and configure Web Rating Overrides

Configure Web Profile Overrides

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide

77

DO NOT REPRINT
FORTINET

Web Filtering Lab 1: Web Filtering

Exercise 1 FortiGuard Web Filtering


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Web-Filtering\Student\student-wf.conf.
FortiGate will reboot.
2. When the FortiGate device has rebooted go to System > Status and under License information
check the FortiGuard Services Web Filtering status to ensure that the license has been validated.
A green check mark should be displayed.
3. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter and review the
settings of the default web filter profile.
Verify that the Inspection Mode is set to Proxy.
Under FortiGuard Categories right-click and expand the web category Potentially Liable. The
category and all the sub categories inside should have the action set to Authenticate.
Expand Adult/Mature Content. You should find that Other Adult Material and Pornography are
blocked while all other sub-categories are set to Monitor.
Expand Bandwidth Consuming. The category and all sub categories inside should have the action
set to Warning.
Expand Security Risk. The category and all sub categories inside should have the action set to
Block.
All of the General Interest categories and sub-categories should be set to Monitor.
4. Go to Policy & Objects > Policy > IPv4 and edit the outing port3port1 policy.
In addition to a web filter profile, Proxy options and SSL/SSH Inspection profile have also been
enabled.
Review the settings in the assigned Proxy options and SSL/SSH Profiles.
5. From the CLI on the Student FortiGate device, check the low-level status information of the web
filtering service by entering the following command:
diag debug rating
The command diag debug rating shows the list of FDS servers for web filtering that the
FortiGate is using to send requests. FortiGate normally sends rating requests to the server on the
top of the list. Each server is probed for RTT every 2 minutes.
Note: Your lab environment uses a FortiManager as a local FDS server. It contains a
local copy of the FDS web rating database. The FortiGate devices have been
configured to send the rating requests to the FortiManager instead of the public FDS
servers. For this reason, the output of the above command lists only the FortiManager
IP address.
6. On the Win-Student computer, open a web browser, and go to:
http://www.bing.com
FortiGate I Student Guide

78

DO NOT REPRINT
FORTINET

Web Filtering Lab 1: Web Filtering

You should receive a block page.

7. Verify that the rating of the website www.bing.com is NOT pornography by going to the URL
http://www.fortiguard.com/static/webfiltering.html and checking.
You will find that Bing is not rated as pornography and that the category it belongs to has a
monitor action rather than block.
8. From the CLI on the Student FortiGate, examine the FortiGate's behavior:
diag debug application url 255
diag debug enable
Access the website www.bing.com again. The diagnostic output will indicates that the URL
matches a local rating.
9. In the GUI on the Student FortiGate device, go to Security Profiles > Advanced > Web Rating
override
You will find and entry for www.bing.com which assigned the category of Pornography.
10. Edit the Rating override for www.bing.com and set the category to Potentially Liable and the subcategory to Proxy Avoidance.
11. access the website http://www.bing.com again
This time, the block page will give you the option to Proceed. Click Proceed and enter the
following user credentials

User: Student
Password: F0rtinet
Note: If you receive a certificate warning, be sure to allow it.

12. In the GUI on the Student FortiGate device, go to Log & Report > Security Log > Web Filter.
FortiGate I Student Guide

79

DO NOT REPRINT
FORTINET

Web Filtering Lab 1: Web Filtering

If you examine the actions taken in the logs you will find that initially a Block action shows up.
However, more recent logs show a different action.
13. Edit the web filter profile and select Flow-based. A notification is displayed as follows:

Click OK on this pop-up and then click Apply at the bottom of the profile.
14. Test the behavior of the flow based inspection by connecting to www.bing.com again.
15. Go to Security Profiles > Advanced > Web Rating override and delete the entry for:
http://www.bing.com
Access www.bing.com again.
16. In the GUI on the Student FortiGate device, go to Security profiles > Monitor > Web Monitor.
Review the output. You can click on the charts in order to get additional information on what is
being displayed.
Note: If you not have the Monitor menu then this feature is disabled in the GUI and must be
enabled from the CLI:
config system global
set gui-utm-monitors enable
end

FortiGate I Student Guide

80

DO NOT REPRINT
FORTINET

Web Filtering Lab 1: Web Filtering

Exercise 2 Web Profile Overrides


1. On the Win-Student computer, open a new browser windows and visit:
www.youtube.com
FortiGate should block this.
2. In the GUI on the Student FortiGate, go to Security Profiles > Web Filter
Set the inspection mode to Proxy.
3. Enable Allow blocked Override and configure the following options

Apply to Group(s): Override_Permissions

Assign to Profile: monitor_all

Scope: IP

Duration Mode: Constant

Duration: 0 days, 0 hours, 15 minutes

Click Apply to save the changes


4. Visit the website www.youtube.com again. You will find that at the bottom of the page there is an
override link.

5. Click Override and enter the following user credentials


User: Student2
Password: F0rtinet
FortiGate should now allow you to access the web site.
6. In the GUI on the Student FortiGate device, go to Log & Report > Security Logs > Web Filter
Compare the current pass-through entries for YouTube with the older block entries.
Notice that the web profile that is reported as being used is different.

FortiGate I Student Guide

81

DO NOT REPRINT
FORTINET

Application Control Lab 1: Application Identification

Application Control
Lab 1: Application Identification
In this lab, you will use the application control feature to properly identify an application.

Objectives

Configure Application Control in the student lab environment

Read and understand application control logs

Enable and Monitor traffic shaping through Application Control

Use Application control to Fine tune Internet Access

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide

82

DO NOT REPRINT
FORTINET

Application Control Lab 1: Application Identification

Exercise 1 Creating an Application Control List


1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Application-Control\Student\student-app.conf
FortiGate will reboot.
2. Log in again. Go to Security Profiles > Application Control > Application Sensor. Review the
default application control sensor. (Verify that you are selecting the sensor named default.)
3. On the Edit Application Sensor page, check the settings for the following rules:

Application Override

Myspace

Category

Video/Audio

The action for this should show as being Block.


4. Go to Policy > Policy > Policy and edit the port3port1 policy. Verify that Application Control is
turned on and that the default application control sensor is selected.
5. Enable the Security Profiles monitors:
config sys global
set gui-utm-monitor enable
end
Go to http://www/.youtube.com. On the YouTube web site, try to play a video.
While the video is playing, go the GUI of the FortiGate and check the application monitor in
Security Profiles > Monitor > Application Monitor. If your browser does not show the application
monitor, you may need to refresh the page or log in to the FortiGate again.
6. On the Win-Student computer, open a new web browser window. Go to http://www.myspace.com/.
You should observe that you cannot connect to this site. It times out.
7. Go to Security Profiles > Application Control > Application Sensor and check the default sensor
again. At the bottom of the profile enable Replacement messages for HTTP-based application.
8. Go to the MySpace web site again. Now FortiGate should display a block message.
9. Go to Log & Report > Traffic Log > Forward Traffic and view the log information to confirm that
this action was correctly logged.
10. From the web browser, try to go to:
http://proxite.us
On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click
Go.
You should observe FortiGate does allow some connectivity to the site. How can you stop this?
Create a new rule in the sensor to block the Proxy category.
FortiGate I Student Guide

83

DO NOT REPRINT
FORTINET

Application Control Lab 1: Application Identification

Exercise 2 Limiting YouTube Traffic


1. On the Student FortiGate's GUI, go to Policy & Objects > Objects > Traffic Shapers and look at the
YouTube_Shaper traffic shaper.
Look closely at the Maximum amount of allowed bandwidth.
2. Go to Security Profiles > Application Control > Application Sensor and edit the default profile.
Add an Application Override for Youtube, set the action to Traffic Shaping and have it use
YouTube_Shaper.
3. Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream
the same video that you did before.
This will probably result in much different experience.
Note: If your classroom is using a virtual lab, the underlying hardware is shared, and
so the amount of available bandwidth for Internet access varies by usage by other
simultaneous use. The traffic shaper is set to a very low value in order to make sure
that the difference in behavior is easily noticeable. In real networks, this setting
would be greater.
4. Check the traffic shaper monitor in Policy & Objects > Monitor > Traffic Shaper Monitor. In the
upper right corn, change Report by to Current Bandwidth.
Note: Monitor statistics are current as of the time that you requested the GUI page, so
make sure to view them while a video is downloading. The page does not constantly
refresh, so in order to do this, click Refresh in the upper right.

FortiGate I Student Guide

84

DO NOT REPRINT
FORTINET

Application Control Lab 1: Application Identification

Exercise 3 Fine Tuning Web Site Access


1. On the Win-Student computer, open a browser window. Go to:
http://translate.google.com
2. Go to Security Profiles > Application Control > Application Sensor and edit the default profile.
Add an application override for Google.Translate. Set the action to Reset.

3. Refresh the Google Translate page. FortiGate should insert a replacement message from
application control about the application being blocked.
4. Go to Security Profiles > Application Control > Application Sensor and edit the default profile.
Disable replacement messages for HTTP-based applications, then click OK.
5. Refresh the Google Translate page. The browser should display an error message, telling you that
the connection was reset.
Note: Depending on which browser you use for the test the wording and nature of the
error will vary.
6. Open a browser window. Go to http://www.myspace.com
Since there is no longer an HTTP-based block message enabled, the 2 signatures will behave
differently based on the configured action.
7. Go to Security Profiles > Application Control > Application Sensor and edit the default profile.
Enable replacement messages for HTTP-based applications, then click OK.
8. Refresh both websites. This time, the browser should display a block message.
9. Access Google Translate over HTTPS:
https://translate.google.com
This connection should succeed. In order for this signature to detect access over encrypted
communications (HTTPS), SSL inspection must be enabled.

FortiGate I Student Guide

85

DO NOT REPRINT
FORTINET

Appendix A: Additional Resources

Appendix A: Additional Resources


Training Services

http://training.fortinet.com

Technical Documentation

http://help.fortinet.com

Knowledge Base

http://kb.fortinet.com

Forums

https://support.fortinet.com/forum

Customer Service & Support

https://support.fortinet.com

FortiGuard Threat Research & Response

http://www.fortiguard.com

FortiGate I Student Guide

86

DO NOT REPRINT
FORTINET

Appendix B: Presentation Slides

Appendix B: Presentation Slides

FortiGate I Student Guide

87

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

In this lesson, we will show FortiGate administration basics. This includes how and where FortiGate
fits into your existing network architecture.

FortiGate I Student Guide

88

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

After completing this lesson, you should have these practical skills in FortiGate administration
fundamentals, such as how to log in, make administrator accounts, do basic network settings, and how
to use your FortiGates GUI or CLI.
Youll also be able to set up FortiGate to act as your local networks DNS or DHCP server.
Lab exercises can help you to test and reinforce your skills.

FortiGate I Student Guide

89

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

(slide contains animation)


A FortiGate is a Unified Threat Management device, but what exactly does this mean? Well, if we look
at a typical network security solution, multiple single-purpose devices are used. Each performs a specific
task. There is:
(click)
One device acting as the firewall
Another device that scans for viruses
Another device filtering email
One device to optimize WAN usage
Another device to filter web sites
One device for application control
One device for intrusion prevention
Another device to provide VPN access
That is a lot of different devices. Most likely, they all have different vendors. All of this can introduce
unwanted complexity, and many potential points of failure.

FortiGate I Student Guide

90

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

So how is FortiGate different?


FortiGate provides a comprehensive approach to security. It even includes some basic accessory
network services such as authentication and DHCP. All this and more is combined into a single device.
That way, you can reconfigure your network and security deployment by simply accessing one device.
Cabling and interfaces between 10 devices? Gone. And its all from a single vendor. Per-module
licensing? Gone.
If youre familiar with Cisco ASA, you may even expect multiple management interfaces. This, too, is
simpler on FortiGate. Regardless of whether you are building a VPN or applying antivirus, you can
configure it all from one unified GUI or CLI.
How can FortiGate do so many things? Shouldnt separate functions be divided among different devices
for performance reasons?
In some cases, yes. High load of one specific workload may be worth a dedicated device. And Fortinet
offers several. But now you have the choice you can specialize if your network requires it.

FortiGate I Student Guide

91

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

In this architecture diagram, you can see how FortiGate UTM platforms add strength without
compromising on flexibility they are still internally modular. Plus:

Devices add duplication. Sometimes, dedication doesnt mean efficiency. If its overloaded, can 1
device borrow free RAM on 9 others? Do you want to configure policies, logging, and routing on 10
separate devices? Does 10 times the duplication bring you 10 times the benefit? Or is it a hassle?
FortiGate hardware isnt just off-the-shelf. Its carrier-grade. Underneath, most FortiGate models
have 1 or more specialized circuits called ASICs that are engineered by Fortinet. For example, a CP
or NP chip handles cryptography and packet forwarding more efficiently. Compared to a singlepurpose device with only a CPU, FortiGate can have dramatically better performance.
(The exception? Virtualization platforms VMware, Citrix Xen, Microsoft, or Oracle Virtual Box have
general-purpose vCPUs. But virtualization might be worthwhile due to other benefits, such as
distributed computing and cloud-based security.)
FortiGate is flexible. If all you need is firewalling and antivirus, FortiGate wont require you to waste
CPU, RAM, and electricity on others. In each firewall policy, UTM modules can be enabled or
disabled. You wont pay more to add VPN seat licenses later, either. What requires a subscription?
Only FortiGuard subscription services.

FortiGate I Student Guide

92

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

FortiGuard subscription services give your FortiGate access to 24 x7 security updates powered by
Fortinets researchers. Your FortiGate uses FortiGuard in 2 ways:

By periodically requesting packages that contain a new engine and many signatures, or
By querying the FDN on an individual URL or host name

Queries are real-time that is, FortiGate asks the FDN every time it scans for spam or filtered web sites.
Also, queries use UDP for transport they are connectionless and the protocol is not designed for fault
tolerance, but speed. So they require that your FortiGate have a reliable Internet connection.
Downloaded packages like antivirus and IPS, however, arent that frequent. They use TCP for reliable
transport. And their associated FortiGate features continue to function even if FortiGate does not have
reliable Internet connectivity. Keep in mind, though, that you should still avoid interruptions. If your
FortiGate must try repeatedly to download updates, it cant detect new threats during that time.

FortiGate I Student Guide

93

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

So now weve seen a simplified overview of the software architecture. What about the network
architecture? Where does FortiGate fit in?
When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or
transparent.

In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical network
interfaces have an IP address.
In transparent mode, FortiGate forwards packets at Layer 2, like a switch. So except for the
management interface, its interfaces have no IP address.

Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however.
Well show these later.

FortiGate I Student Guide

94

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should
you choose?
NAT mode is the most common choice. In NAT mode, the destination address is the FortiGates
address. Typically FortiGate will rewrite the destination address, and/or port number and source
address in the IP network layer, into the servers private network address before forwarding the packet
in other words, it will apply NAT and port forwarding. Depending on your presentation and application
layer protocols, it might also:
Terminate SSL or TLS sessions so back-end servers dont need to decrypt
Modify the addresses in the application layer headers, such as the Host: and X-Forwarded-For: in
the HTTP header
So NAT mode works well for edge or gateway security, where you divide your private IPv4 network from
an external network such as guest Wi-Fi or the Internet.
In transparent mode, the destination address is the servers address not a FortiGates interface.
As a result, it usually doesnt need to rewrite encapsulated layers with the exception of TCP SYNrelated analysis. Only the MAC address in the frame is rewritten. So in complex IP environments such as
MSSP or mobile phone carriers, this simplifies deployment. Only the management interface needs an IP
address. But because network-facing interfaces dont have an IP address, you must verify that your
topology doesnt have any loops at Layer 2 Ethernet.

FortiGate I Student Guide

95

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

NAT mode is the default operation mode. What are the other default settings? Once youve removed
your FortiGate from its box, what do you do next?
Lets see how to set up a FortiGate.
Attach your computers network cable to port1 or the internal switch ports (depending on your model) to
begin setup. There is a DHCP server on that interface, so if your computers network settings have
DHCP enabled, your computer should automatically get an IP, and you can begin setup quickly. Every
FortiGate or FortiWifi device has these same default settings. (Note that FortiAP is not the same. Its
covered in a separate lesson.)
To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99.
Remember: The default login is publicly available knowledge. Never leave its default password
blank! Your network is only as secure as your FortiGates admin account. Before you connect your
FortiGate to your overall network, you should set a complex password. You should also restrict it so that
FortiGate allows administrative connections only from your local console or management subnet.

FortiGate I Student Guide

96

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

What happens if you forget the password for your admin account, or a hostile employee changes it?
This recovery method is on all FortiGate devices, and even some non-FortiGate devices like FortiMail.
Its a temporary account, only available through the local console port, and only after a hard reboot
disrupting power by unplugging or switching off the power, then restoring it. FortiGate must be physically
shut off, then turned back on not simply rebooted through the CLI. Thats the difference between a
hard boot and a soft boot.
Even then, the maintainer login will only be available for login for about 30 seconds after boot
completes.
If you cant ensure physical security, or have compliance requirements, you can disable the maintainer
account. Use caution: if you disable maintainer and then lose your admin password, you
cannot recover access to your FortiGate.

FortiGate I Student Guide

97

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

All FortiGate models have a console port. This provides CLI access without a network.

On older models, its a serial port. A standard null modem cable can be used to connect the serial
port to your computers serial port.
On newer models, its an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your
computers serial port to the RJ-45 port on the FortiGate.
In some newer models, the console port is a USB2 port. In that case, youll plug in the USB cable,
then open FortiExplorer.

Each device ships with its appropriate cable.


Serial ports on computers are becoming less common. If your computer have one, you can purchase a
USB-to-serial adapter.

FortiGate I Student Guide

98

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Most features are available in both the GUI and CLI. There are a few exceptions. Reports cant be
viewed in the CLI, for example, and diagnostic commands for power users are usually not in the GUI.
What if you dont want to use the GUI?
There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script its
configuration, you may want to use it in addition. You can access the CLI via either the JavaScript widget
in the GUI named CLI Console, or via a terminal emulator such as Tera Term
(http://ttssh2.sourceforge.jp/index.html.en) or PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can connect
via the network SSH or telnet or the local console port.
SNMP and some other administrative protocols are also supported, but they are not used for basic
setup. Lets focus on setup now.

FortiGate I Student Guide

99

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

As an alternative GUI during setup, you can plug in your smart phone, and use FortiExplorer.
FortiExplorer isnt a complete configuration tool for all devices. Its focus is deployment configuring
network addresses and routing. After that, your FortiGate can be integrated into the network, and you
can continue by configuring firewall policies, security profiles and other features.

FortiGate I Student Guide

100

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

There are a few supported platforms for the FortiExplorer software. This is what FortiExplorer looks like
when you are running it on a Windows laptop.
On the left side, you can see that FortiExplorer can fully update device firmware and configure its
network settings so that FortiGate is prepared for you to plug it into your network.

FortiGate I Student Guide

101

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Whichever method you use, start by logging in as admin. Begin by creating accounts for other
administrators.
Its not shown here, but alternatively, instead of creating accounts on FortiGate itself, you could configure
FortiGate to query a remote authentication server. You could also require personal certificates,
authenticated via your PKI certificate authority, instead of passwords.
Choose strong, complex passwords. For example, you could use multiple interleaved words with varying
capitalization, and randomly insert numbers and punctuation. Do not use short passwords, nor
passwords that contain names, dates, or words that exist in any dictionary. These will be very
weak against brute force attacks. To audit the strength of your passwords, use tools such as l0phtcrack
(http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers brute
forcing your firewall is especially high if you connect the management port to the Internet.
In order to restrict access to specific features, you can assign permissions.

FortiGate I Student Guide

102

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

When assigning permissions in an access profile, you can specify read-and-write, read-only, or no
access to each area.
By default, there is a special profile named super_admin, which is used by the account named admin.
It cannot be changed. It provides full access to everything, making the admin account similar to a root
superuser account.
prof_admin is another default profile. It also provides full access, but unlike super_admin, it only
applies to its virtual domain not the global settings of the FortiGate. Also, its permissions can be
changed.
You arent required to use a default profile. You could, for example, create a profile named
auditor_access with read-only permissions. Restricting a persons permissions to those necessary for
his or her job is a good best practice, because even if that account is compromised, the compromise is
not complete. To do this, create administrative access profiles, then select the appropriate profile when
configuring an account.

FortiGate I Student Guide

103

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

What are the effects of access profiles?


Its actually more than just read or write access.
Depending on the type of access profile that you assign, each administrator may not be able to access
the entire FortiGate. For example, you could configure an account that can only view log messages.
Administrators may not be able to access global settings outside their assigned virtual domain, either.
(Virtual domains, by the way, are a way of subdividing the resources and configurations on a single
FortiGate. VDOMs are shown in another lesson.)
Administrators with a smaller scope of permissions cannot create, or even view, accounts with
more permissions. So, for example, an administrator using the prof_admin or a custom profile cannot
see nor reset the password of accounts that use the super_admin profile.

FortiGate I Student Guide

104

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

To further secure access to your network security, use two-factor authentication.


Two factor authentication just means that instead of only using one way to verify your identity typically
a password or personal certificate you verify identity in two ways. In the example shown here, twofactor would mean a password plus an RSA randomly generated number from a FortiToken that is
synchronized with FortiGate.

FortiGate I Student Guide

105

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

FortiToken is not the only option if you want to use two-factor authentication. Remember, two-factor
authentication literally only means that you use two methods to verify the persons identity.
Alternatively, FortiGate can send an email to the administrators address, or send a text message.
To be able to do this, you must first configure FortiGate with the settings of a mail server that it can use
to send email, or an SMS server. The mail server can be configured under System > Config >
Messaging Servers in the GUI, or the CLI. SMS settings however are CLI-only.

FortiGate I Student Guide

106

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Another way to secure your FortiGate is to define which hosts or subnets are trusted sources of login
attempts.
Define all three, for all accounts. (If you leave any IPv4 address as 0.0.0.0/0, this means to allow
connections from any source IP obviously not what you want.) Notice that each account can define its
management host or subnet differently. This is especially useful if you will be setting up virtual domains
on your FortiGate, where the VDOMs administrators may not even belong to the same organization..
Now try to access FortiGates GUI or CLI from an external IP. Does it work? No. Your web browser or
terminal emulator wont receive a response. Not even to a ping.
Unless you connect from the network administrators subnet, FortiGate wont allow you to even try to log
in. So external brute force is impossible. So is discovery by ICMP.

FortiGate I Student Guide

107

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

You may also want to customize the administrative protocols port numbers.
You can also choose whether to allow concurrent sessions. This can be used to prevent accidentally
overwriting settings if you usually keep multiple browser tabs open, or accidentally leave a CLI session
open without saving the settings, then begin a GUI session and accidentally edit the same settings, for
example.

FortiGate I Student Guide

108

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Weve defined the management subnet that is, the trusted hosts for each administrator account. How
do you enable or disable management protocols?
This is specific to each interface. For example, if your administrators connect to FortiGate only from
port1, you should disable all administrative access on all other ports. This prevents brute force attempts,
and also insecure access.
For better security, it always best to only use secure, encrypted methods of access. Some protocols
such as telnet, ICMP, HTTP, and SNMP version 1 dont have encryption or even authentication. So
they should never be enabled on public, untrusted networks.
IPv4 and IPv6 protocols are separate. Its possible, for example, to have both IPv4 and IPv6 addresses
on an interface, but only respond to pings on IPv6. However, IPv6 is hidden in the GUI by default. How
do you show IPv6 settings?

FortiGate I Student Guide

109

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

FortiGate has hundreds of features. If you dont use all of them, hiding features that you dont use makes
it easier to focus on your work.
Hiding a feature in the GUI does not disable it. It is still functional, and still can be configured via CLI.
(In fact, many diagnostic features are only available in the CLI.)
Some advanced or less commonly used features, such as IPv6, are hidden by default.
There are 2 ways to show hidden features:
Use the Features widget on the dashboard, or
Go to System > Config > Features

FortiGate I Student Guide

110

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

The Features widget shows and hides features by bulk presets.

NGFW shows features for line speed inspection, with no added latency. This hides all UTM options
that can potentially slow down traffic.
ATP shows features for advanced threat protection that focus on protecting endpoint computers.
WF shows features for web filtering.
Full UTM is a present that shows almost all UTM features.

Load balancing and a few others arent enabled here, though. So if the Features widget does not
show the feature youre looking for, go to System > Config > Features instead.

FortiGate I Student Guide

111

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Once you have administrator accounts, they can configure the network interfaces.
Remember: When the FortiGate device is in NAT/route mode, every interface that handles traffic usually
must have an IP address. This is so that packets with this interface will have a source and destination at
the IP layer. There are 3 ways to do this:
assign a static IP, or
automatically retrieve one, via either DHCP or PPPoE
As we mentioned earlier, there are 2 exceptions. Other, less commonly used are One-Arm Sniffer and
Dedicate to FortiAP. Unlike how interfaces are usually in NAT mode, these arent assigned an address.
One-Arm Sniffer is an interface in promiscuous mode. As a result, regardless of each packets
destination address, FortiGate can inspect all traffic that arrives. So although the overall FortiGate is
in NAT mode, acting as a router, this specific interface does not. It receives traffic, but cannot send.
There are more considerations, which are in the IPS lesson.
Dedicate to FortiAP creates both an access point controller and DHCP server. Clients
connecting to SSIDs managed through this interface receive an IP address from the pool on this
interface.

FortiGate I Student Guide

112

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Wireless clients arent the only ones that can use FortiGate as their DHCP server.
Select the Manual option, enter a static IP, then enable the DHCP server option. Options for the builtin DHCP server will appear.

FortiGate I Student Guide

113

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC
addresses. Those devices will always receive the same lease, unless the number of devices exceeds
the size of the IP pool.

FortiGate I Student Guide

114

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

For detailed information about the MAC addresses and the corresponding IPs, you can look in the router
subsection of the event log, or in the DHCP Monitor, which you can find in the System menu.

FortiGate I Student Guide

115

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Like with DHCP, you can also configure FortiGate to act as your local DNS server.
A local DNS server can improve performance for your FortiMail or other devices that use DNS queries
frequently. If your FortiGate offers DHCP to your local network, DHCP can be used configure those
hosts to use FortiGate itself as both the gateway and DNS server.
FortiGate can answer DNS queries in one of 3 ways:
by relaying all queries that is, acting as a DNS relay instead of a DNS server
by relaying queries only the queries it cant resolve to your ISPs DNS server,
by returning a null response if it cant resolve queries itself.
You can enable and configure DNS separately on each interface.

FortiGate I Student Guide

116

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you choose the DNS forwarding option, you can control DNS queries within your own network without
having to setup a separate DNS server.

FortiGate I Student Guide

117

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set up a
DNS database on your FortiGate.
This defines the host names that FortiGate will resolve queries for. Use zone file syntax outlined by
RFCs 1034 and 1035.

FortiGate I Student Guide

118

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Lastly, before you can integrate FortiGate in your network, FortiGate must have a default gateway.
If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it will also
retrieve the default gateway.
Otherwise you must configure a static route. Without this, the FortiGate will not be able to respond to
packets outside the subnets directly attached to its own interfaces. It probably also wont be able to
connect to FortiGuard for updates, and may not properly route traffic.
Routing details are covered in another lesson. For now, you should usually make sure that FortiGate has
a route that matches all packets (destination is 0.0.0.0/0), and forwards them through the network
interface that is connected to the Internet, to the IP address of the next router.
Routing completes the basic network settings that are required before you can configure firewall policies.

FortiGate I Student Guide

119

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Now that FortiGate has basic network settings and administrative accounts, lets show how to back up
the configuration.
You can encrypt configuration files with a password, if necessary. Besides securing the privacy of your
configuration, it also has some effects you may not expect. Once encrypted, the configuration file cannot
be decrypted without the password and a FortiGate of the same model and firmware. This means that if
you send an encrypted configuration file to Fortinet Technical Support, even if you give them the
password, they still cannot load your configuration until they get access to the same model of FortiGate.
This can cause unnecessary delays when resolving your ticket.
Even if the configuration is not encrypted as a whole, each passwords is encrypted individually. So in
many cases, encrypting the entire configuration file may not be necessary.

FortiGate I Student Guide

120

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you open the configuration file in a text editor, youll see that both encrypted and unencrypted
configuration files contain a clear text header that contains some basic information about the device. The
diagram here shows what information it includes.
To restore an encrypted configuration, you must upload it to the same model of FortiGate, with the same
firmware version, then provide the password.
To restore an unencrypted configuration file, you are only required to match the model. If the firmware is
different, FortiGate will attempt to upgrade the configuration, similar to how it uses upgrade scripts on the
existing configuration when upgrading firmware.
Usually, the configuration file only contains non-default settings, plus a few default yet crucial settings.
This minimizes the size of the backup, which could otherwise be several MB in size.

FortiGate I Student Guide

121

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you enable virtual domains, subdividing the resources and configuration of your FortiGate, each VDOM
administrator can back up and restore their own configurations. You dont have to back up the entire
FortiGate configuration.
VDOM details are discussed in a separate lesson.

FortiGate I Student Guide

122

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Upgrading the firmware on a FortiGate is simple. The easiest method is to click the Update link on the
System Information widget on the dashboard, then choose a firmware file that you have downloaded
from support.fortinet.com.
If you want to make a clean install by overwriting both the existing firmware and its current
configuration, you can do this via the local console CLI, within the boot loader menu, while FortiGate is
rebooting. However, this is not the usual method.

FortiGate I Student Guide

123

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

You can also downgrade firmware. Since settings change in each firmware version, you should have a
configuration file in the syntax that is compatible with the firmware.
Remember to read the release notes. Sometimes a downgrade between firmware versions that
preserves the configuration is not possible, such as when the OS changed from 32-bit to 64-bit. In that
situation, the only way to downgrade is to format the disk, then reinstall.
Once youve determined the downgrade is possible, verify everything again, then start the downgrade.
After it completes, restore a configuration backup that is compatible with that version.
Why should you keep emergency firmware and physical access?
Old firmware versions dont know how to convert future configurations. Also, when upgrading via a path
that is not supported by the configuration translation scripts, you might lose all settings except basic
access settings such as administrator accounts and network interface IP addresses. Another rare but
possible scenario is that the firmware could be corrupted when you are uploading it. For all of those
reasons, you should always have local console access during an upgrade, in case of emergency.
However, in practice, if you read the Release Notes and have a reliable connection to the GUI or CLI, it
should not usually be necessary.

FortiGate I Student Guide

124

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Remember your initial setup via FortiExplorer? You can also use it to download firmware, then install it
on your FortiGate.

FortiGate I Student Guide

125

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

To review, these are the topics that we just talked about.


We showed how FortiGate can replace multiple single-purpose devices yet increase power efficiency
and throughput. We explained the differences between FortiGuard services, and how those are part of
the UTM architecture. We showed how to configure administrator accounts, permissions, and how to
harden administrative access. We also explained how to choose the operation mode based upon the
behavior you need for each network interface, how to configure the network settings, and finally how to
back up the configuration and install firmware.

FortiGate I Student Guide

126

DO NOT REPRINT
FORTINET

Logging & Monitoring

In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and
network traffic. Since you are implementing a security solution, it is important to know how to
appropriately monitor the devices operation. It is vital to have logging and monitoring configured
properly and to know how to read the output. Otherwise if you encounter issues, you wont have any
messages from FortiGate to help you find out what is happening in your network.

FortiGate I Student Guide

127

DO NOT REPRINT
FORTINET

Logging & Monitoring

By the end of this lesson, youll be able to:


Describe log severity levels
Identify where logs are stored
Describe the different types of logs
Understand log structure and behavior
Configure log settings
Understand the impact of logs on resources
Describe how to view log messages, and finally
Describe how to search and interpret log message

FortiGate I Student Guide

128

DO NOT REPRINT
FORTINET

Logging & Monitoring

The basic purpose of logs is to help you monitor your network traffic levels, track down problems,
establish baselines and a lot more.
Think of your own internal organization, where it is highly probable that more than one administrator
has access to your FortiGate device. Since it is not practical to block other administrators from making
changes to your FortiGate configuration, you can simply view the log files to find out what is
happening on the deviceincluding any changes that were made. Logs help provide you with the big
picture so you can make adjustments to your network security, if necessary.
Keep in mind that some organizations have legal requirements when it comes to logging, so it is
important to be aware of your organizations policies during configuration.

FortiGate I Student Guide

129

DO NOT REPRINT
FORTINET

Logging & Monitoring

Each log entry includes a log level that ranges in order of importance from Debug to Emergency. In
total there are eight levels. Debug, the lowest level, puts additional information into the event log and
is worthless unless you are actively investigating something. Debug is only needed to log diagnostic
data, puts more strain on the CPU resources, and requires additional resources to create. Generally
the lowest level you want to use is Information.
You and your organizations policies dictate what needs to be logged.

FortiGate I Student Guide

130

DO NOT REPRINT
FORTINET

Logging & Monitoring

You can choose to store logs in a variety of places both on and off the device. Locally, the FortiGate
device has memory and many devices have a built-in hard drive. Externally, you can store logs on
Syslog Servers, FortiCloud, SNMP, or a FortiAnanlyzer device.

FortiGate I Student Guide

131

DO NOT REPRINT
FORTINET

Logging & Monitoring

As an external logging device for FortiGate, a FortiAnalyzer or FortiManager is simply viewed as an IP


with which the FortiGate can communicate. As a result, you can place a FortiAnalyzer or
FortiManager within the same network as a FortiGate, or outside of it. However, a Fortigate can
communicate with a FortiAnalyzer or FortiManager only if it is registered device. So long as the
FortiGate is properly registered with the FortiAnalyzer or FortiManager, it accepts incoming logs.
Communication between the Fortigate and FortiAnalyzer or FortiManager is done via SSL encrypted
OFTP traffic, so when a log message is generated, it can be safely transmitted across an unsecure
network.

FortiGate I Student Guide

132

DO NOT REPRINT
FORTINET

Logging & Monitoring

So far, weve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices
for the FortiGate. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is
identicalthey share a common hardware and software platformthe FortiAnalyzer and
FortiManager actually have different capabilities that are worth noting. Both take log entries, but a
FortiManagers primary purpose is to centrally manage multiple FortiGate devices. As such, it has a
flat limit imposed on the amount of logs it can receive in a day, regardless of the model. On the other
hand, the FortiAnalyzers primary purpose is to store and analyze logs, so the log limit is much higher
(though the limit is model-dependent). Even the smallest FortiAnalyzer can handle more logs per day
than any FortiManager.
But at the most basic level, what you can do with the logs received on a FortiManager is no different
than what you can do with logs received on a FortiAnalyzer.
The FortiGate has 2 methods for transmitting the log events. There is the store-and-upload option, as
well as real time.

FortiGate I Student Guide

133

DO NOT REPRINT
FORTINET

Logging & Monitoring

You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI.
In the GUI, it is done under Log & Report > Log Config > Log Settings. Here, each device must be set
up separately, one at a time.
In the CLI, you can configure up to three separate FortiAnalyzer or FortiManager devices at the same
time. The options in the GUI only relate to the config log fortianalyzer setting, not fortianalyzer2 or
fortianalyzer3. You may need a setup like this for redundancy or for some other requirement. Keep in
mind that generating logs requires resources, so the impact of sending logs to multiple locations
ultimately depends on how many logs you are creating.

FortiGate I Student Guide

134

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another external logging option you can use is FortiCloud. FortiCloud is a subscription-based service,
offered by Fortinet, that offers long term storage of logs as well as provides reporting functionality. Its
a similar idea to FortiAnalyzer, but more advantageous for smaller setups, where purchasing a
dedicated logging appliance isnt feasible. Every FortiGate comes with a free one month trial. You can
activate your free trial from the GUI and link it to your FortiCare user and start sending logs. Be sure to
read any documentation on the website if you are considering the subscription-based option.

FortiGate I Student Guide

135

DO NOT REPRINT
FORTINET

Logging & Monitoring

On the FortiGate, all logs are split up into three different log types. These are traffic logs, event logs, and
security logs.
Each log type is further split up into sub-types. Traffic logs contain Forward, Local, Invalid and Multicast.
The Forward log contains information about traffic either accepted or rejected by a firewall policy. Local
traffic is traffic directly to/from the FortiGate, and includes logging into the GUI, as well as FortiGuard
queries. Invalid packets are the logs thrown away before they even get to a firewall policy.
Event logs contain System, User, and Router/VPN/WanOpt &Cache/Wifi sub-types. System events are
related to system operations, such as automatic updates of the AV/IPS definitions and people logging
into the GUI. User contains logon/off events for users hitting firewall policies. Router/VPN/WanOpt
&Cache/Wifi contain log entries related to the specific feature. For example, Router contains BGP or
RIP log entries and VPN contains IPSec and SSLVPN log entries.
Finally, Security logs contain log entries based on the security profile type. For example, Antivirus, Web
Filter, and Intrusion Protection to name a few. Security logs only show specific sub-types if logs are
created within it.

FortiGate I Student Guide

136

DO NOT REPRINT
FORTINET

Logging & Monitoring

The Log & Report section of the FortiGate GUI includes the three log types: Traffic, Event, and (if
configured), Security. The Traffic Log contains events about packets. The Event Log contains admin or
system activity events. The Security Log contains messages related to security profiles activated on
firewall policies. By default, most of the events related to security appear in the Forward Traffic loga
sub-type of the Traffic Log. This is for performance: fewer log files is less CPU intensive. The exception
to this is DLP and Intrusion Scanning. Events such as these always appear in the Security Log section.

FortiGate I Student Guide

137

DO NOT REPRINT
FORTINET

Logging & Monitoring

To inspect your logs through the GUI, go to the Log & Report section and select the log type to view.
In the upper right corner of the window, you can switch between viewing the logs from different
locations if the FortiGate is set up to log to multiple locations.
It is not recommended to configure your firewall to actively inspect traffic without creating a log entry
about it.

FortiGate I Student Guide

138

DO NOT REPRINT
FORTINET

Logging & Monitoring

This chart illustrates the expected behavior when you enable different logging options.
The first column, Policy Log Setting, shows the log setting on the Firewall policy: No Log, Log Security
Events, or Log all Sessions.
The second column shows whether an Antivirus, Web Filter, or Email security profile is enabled or
disabled. Remember, DLP and IPS profiles always generate logs in the Security Log section.
The last column shows the behavior. If you enable any profiles on your policy and logging is not enabled,
you will not get logs of any kindeven if the profile is configured to block the traffic. So if you apply a
security profile, its important to remember to consider the logging setting.

FortiGate I Student Guide

139

DO NOT REPRINT
FORTINET

Logging & Monitoring

When viewing the logs, you might encounter a high volume of log messages, depending on your
configuration. This makes it difficult to locate a specific log or log type, especially during an
investigation. In order to negotiate the logs more efficiently, you can set up various filters. The more
information you specify in the filter, the easier it is to find the precise log entry. Filters are configured
for each column of data you choose to display. By default only a subset of the information appears in
the log table. Make sure to configure the table columns for your own requirements.

FortiGate I Student Guide

140

DO NOT REPRINT
FORTINET

Logging & Monitoring

Every log message you view has a standard layout comprised of two sections: a header and a body.
The header contains the same information regardless of the log. The body, however, changes from
one type of log message to another. This is because there is some data common to all logs, like a
date and time, while other data is event dependent.

FortiGate I Student Guide

141

DO NOT REPRINT
FORTINET

Logging & Monitoring

Lets take a closer look at the header in this is an example of a raw log entry. While the output is not
as structured as it appears in the GUI, the information contained in a raw log file is the same. As you
can see in the header, aside from the date, time, and log ID attributes, you can see the that log type is
UTM, the sub-type is DLP, and the severity level is Warning. The attributes in the header (such as log
type and sub-type) are common to every log, but the data aligned to it can be different. For example,
the header can contain a log type of Event and sub-type of System instead of what you see in the
example above. Accordingly, the information in the header of the log directly effects the data
contained in the associated body of the log.
Note that if you log to a 3rd party device, such as a Syslog server, you need to know how to set up
your filters in order to find what you need in your log messages. You can find a document that
contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet.com .

FortiGate I Student Guide

142

DO NOT REPRINT
FORTINET

Logging & Monitoring

Now lets take a closer look at the body of a log. The body provides the specifics of the log message
and helps you understand what actually happened. In the above log, we can see the action taken by
the FortiGate device when it encountered the traffic through the status attribute. Here, the status is
Deny, which means the FortiGate prevented this particular piece of traffic from passing. The value
indicated by policyid field provides useful information about the policy this traffic passed through
(which firewall rule was used).

FortiGate I Student Guide

143

DO NOT REPRINT
FORTINET

Logging & Monitoring

Rather than look at raw logs or logs through the GUI, you can also display log messages from the CLI.
This allows you to set up a number of filters on the logs that display and capture the output to a file
and send it via the options you specify, such as FTP.

FortiGate I Student Guide

144

DO NOT REPRINT
FORTINET

Logging & Monitoring

Monitoring your logs is critical, as it allows you to review the progress of an attack, whether afterwards
or
while in progress, and address the issue quickly. How the attack unfolds may reveal weaknesses in
your preparations.
There are three ways you can monitor logs: Alert Emails, Alert Message Console, and SNMP.

FortiGate I Student Guide

145

DO NOT REPRINT
FORTINET

Logging & Monitoring

Since you cant always be physically at the device, you can monitor logs by setting up Alert emails.
Alert emails are set up similar to any log device. First you decide what is going in to them (a filter)
and then where it is going.

FortiGate I Student Guide

146

DO NOT REPRINT
FORTINET

Logging & Monitoring

In order to set up an alert email, the first thing you need to do is configure an SMTP server to allow for
communication between the server and the FortiGate device. This can only be done in the CLI.
This allows you to configure your alert email settings in the GUI through the Log & Report > Log
Config > Alert E-mail menu. Without configuring an SMTP server that will receive the email, the alert
email option does not appear in the GUI.

FortiGate I Student Guide

147

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another log monitoring option is the alert message console. The Alert Message Console is a GUI
widget that you can enable on the System dashboard. Here, instead of the alerts being emailed to
administrators like in Alert emails, they appear directly in the widget on the System page when you log
in to the FortiGate. You can configure the widget to set up the events you want to appear as alerts, the
number of alerts, and even the name of the widget itself. For example, you can have multiple alert
widgets on the dashboard with different names all displaying different types of alerts.
Once an alert appears in the Alert Message Console it remains until acknowledged. Once you confirm
the event did not impact anything, you acknowledge it, and it is removed from your list it no longer
appears as something that requires further attention.

FortiGate I Student Guide

148

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another method of monitoring logs is through an SNMP manager. In order to use this method, you
require the Management Information Base (MIB) file. A MIB is a text file that describes a list of SNMP
data objects that are used by the SNMP manager. These MIBs provide information the SNMP
manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate device
SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries
to the device in order to discover operational status. You can obtain CPU, memory levels, the cause
for the last spam detection, and more. A FortiGate device can support SNMP v1, v2 and v3.
You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through
the System > Config > SNMP menu.

FortiGate I Student Guide

149

DO NOT REPRINT
FORTINET

Logging & Monitoring

Setting up the necessary SNMP options is fairly straight forward from the GUI. Simply enable and
define the service as you would any other SNMP monitored device and then enable your protocol
options and methods of monitoring. What can be monitored with the different options is exactly the
same. SNMP v3 offers some additional security over the previous two versions of the protocol, like
traffic encryption and authentication.

FortiGate I Student Guide

150

DO NOT REPRINT
FORTINET

Logging & Monitoring

In the GUI, under Log & Report > Log Config > Log Settings, you can enable different locations for log
storage. You can also configure the different kind of traffic you want to appear in the Local traffic log.
Finally, you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to
perform DNS lookups for all the IPs. If your DNS is not working or running slowly, this can impact your
ability to look through the logs as the requests will timeout.

FortiGate I Student Guide

151

DO NOT REPRINT
FORTINET

Logging & Monitoring

Using the CLI to configure log settings provides you with more flexibility and options than the GUI.
From the CLI, you can configure up to three separate FortiAnalyzers and Syslog servers, options not
available in the GUI. There is also the ability to set up logging to Webtrends, a 3rd party service. The
information you require for configuring the log settings is dependent on the logging option you
configure: disk, FortiAnalyzer, FortiGuard, memory, Syslog, or Webtrends.

FortiGate I Student Guide

152

DO NOT REPRINT
FORTINET

Logging & Monitoring

Firewall policies also have logging options you can configure. The policy setting determines if and
when a log message is generated for traffic passing through a particular firewall policy. The settings
under Log Settings in the GUI and the config log command in the CLI determine where the FortiGate
stores the log messages it creates.

FortiGate I Student Guide

153

DO NOT REPRINT
FORTINET

Logging & Monitoring

Its important to remember that creating logs is not freeit does weigh on your system. The more
logs that get generated, the heavier the toll on your CPU and memory resources. Storing logs for a
period of time also requires disk space, as does accessing them. So before configuring logging, make
sure its worth the extra resources and that your system can handle the influx.
Also important to note is logging behavior with UTM profiles. UTM profiles create log events when
traffic is detected. Depending on the amount of traffic you have and logging settings that are enabled,
your traffic logs can easily become a problem that will ultimately impact the performance of your
firewall.
There is an option in the CLI that removes some of the information stored in the traffic log: set brieftraffic-format enabled. By executing this command, you can free up resources on the firewall.

FortiGate I Student Guide

154

DO NOT REPRINT
FORTINET

Logging & Monitoring

In configuring the Event log settings, remember that Event logs are not caused by traffic passing
through firewall policies. For example, VPNs going up and down or routing protocol activity are not
caused by traffic passing through a firewall policy. One exception might be the user log. This does not
record information about traffic through firewall policies directly, but it does record user logon/logoff
events on traffic that passes through policies.
Event logs provide all of the system information generated by the FortiGate device, such as
administrator logins, configuration changes made by administrators, user activity, and daily operations
of the device. So what you enable depends on what features you are implementing and what
information you need to get out of the logs. You can enable what events you want to log through the
Log & Report > Log Config > Log Settings menu.

FortiGate I Student Guide

155

DO NOT REPRINT
FORTINET

Logging & Monitoring

There is also a daily log monitor section. This displays the number of logs generated over time as well
as the log type. This allows you to see where your FortiGate device is using most of its resources and
if any trends are occurring. You can drill down through these logs and obtain further information by
clicking any of the days.

FortiGate I Student Guide

156

DO NOT REPRINT
FORTINET

Logging & Monitoring

Each function of the FortiGate device has an equivalent Monitor menu item in the GUI. This allows
you to take a view, at any given moment, how the feature is performing. The Security functions have a
monitor option like the rest, but you need to enable it from the CLI before it appears. With a lot of
security activity this could impact your CPU, so its disabled by default.

FortiGate I Student Guide

157

DO NOT REPRINT
FORTINET

Logging & Monitoring

One example of a GUI monitor is the Security Profiles monitor, found in the GUI under Security
Profiles > Monitor. It has sub-sections for each security feature to highlight recent activity, such as AV
Monitor, Web Monitor, and Application Monitor to name a few. This gives you a snapshot of what is
happening with that particular option. Almost every menu has this option.

FortiGate I Student Guide

158

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another means of monitoring is through the widgets on the status page. Many can be customized to
show the same type of information in multiple ways. If you click the pencil icon in the upper right
corner of the widget, you can configure any of the available settings for that widget. You can add some
widgets to the same dashboard multiple times, with each instance displaying different information.

FortiGate I Student Guide

159

DO NOT REPRINT
FORTINET

Logging & Monitoring

By default, there are a number of different dashboards available. Each one has a different name with a
different collection of widgets to provide different types of information. Each user has their own
dashboard setup and layout, so if one user deletes a dashboard and rearranges the widgets on the
Status page, it will not impact any of the other users. You can alter a users permissions to not allow
them to make changes to their dashboard and use this to restrict their access.

FortiGate I Student Guide

160

DO NOT REPRINT
FORTINET

Logging & Monitoring

One other area you may want to monitor, purely for diagnostics, is the crash logs, available through
the CLI. The FortiGate is like a computer, with different processes that handle different things, like
DHCP or web filtering for example. Any time a process is closed for any reason, the crash log records
this as a crash. If there is an abnormal termination of a process, you can look at the crash logs and
find out the conditions that caused it. A normal and fairly common thing to see in the crash log are
entries for Scanunitd, which is the process responsible for virus scanning. Any time the definitions
package is updated, that process needs to close down in order to apply the new package. This is a
normal shutdown and appears with a status of zero, which indicates a normal shut down with no
abnormalities.

FortiGate I Student Guide

161

DO NOT REPRINT
FORTINET

Logging & Monitoring

In this lesson, we covered log severity levels; storage locations; log types and subtypes; log structure
and behavior; log settings; viewing logs messages; and monitoring, reading, and interpreting log
messages.

FortiGate I Student Guide

162

DO NOT REPRINT
FORTINET

Firewall Policies

In this lesson, we will show you how to pass traffic through FortiGate, and explain how that works. At its
core, FortiGate is a firewall, so almost everything that it does to your traffic is linked into your firewall rules.

FortiGate I Student Guide

163

DO NOT REPRINT
FORTINET

Firewall Policies

After this lesson, you should be able to properly identify the different components used in a firewall policy.
Youll be able to configure firewall policies and arrange them to correctly match traffic.

FortiGate I Student Guide

164

DO NOT REPRINT
FORTINET

Firewall Policies

Youll also be able to apply UTM and other features through the firewall policy, test your policies, and
monitor traffic passing through them.

FortiGate I Student Guide

165

DO NOT REPRINT
FORTINET

Firewall Policies

To begin, lets talk about what firewall policies are.


Firewall policies define which traffic matches, and what FortiGate will do if it does.
Should the traffic be allowed? This is decided first based on simple criteria such as the source. Then, if the
policy itself does not block the traffic, FortiGate begins more computationally expensive UTM inspection,
such as application control and web-filtering, if youve chosen it in the policy. Those scans could block the
traffic if, for example, it contains a virus. Otherwise, the traffic is allowed.
Will NAT be applied? Authentication required? Firewall policies also determine that. Once processing is
finished, FortiGate forwards the packet towards its destination.

FortiGate I Student Guide

166

DO NOT REPRINT
FORTINET

Firewall Policies

When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which
you can define using objects:
Ingress and egress interfaces
Source and destination, by IP address, device ID, or user
Network service(s) (that is, IP protocol and port number)
Schedule
Once FortiGate finds a matching policy, it applies its settings for packet processing. Is antivirus scanning
applied? Will source NAT be applied?
For example, if you want to block incoming FTP to all but a few FTP servers, you would define the
addresses of your FTP servers, and select those as the destination, and select FTP as the service. You
probably wouldnt specify a source (often any location on the Internet is allowed) nor schedule (usually
FTP servers are always available, day or night). Finally, you would set the Action setting to Accept.
This might be enough, but often, youll want more thorough security. Here, the policy also authenticates
the user, scans for viruses, limits the bandwidth consumption, and logs blocked connection attempts.

FortiGate I Student Guide

167

DO NOT REPRINT
FORTINET

Firewall Policies

Firewall policies appear in an organized list. Its either organized into a section view, or global view.
Usually, it will appear in section view. Each section contains policies for that ingress-egress pair.
Alternatively, you can choose to view your policies as a single comprehensive list, by selecting Global
View at the top of the page.
Policy sequence numbers define the order in which rules are processed. Policy IDs are identifiers. By
default sequence numbers are displayed on the GUI. CLI commands, however, use policy ID: edit <ID>.
This may confuse the administrator in to modifying the wrong policy. To avoid such errors add the policy ID
to the GUI using the column settings.

FortiGate I Student Guide

168

DO NOT REPRINT
FORTINET

Firewall Policies

In some cases, you wont have a choice of which view, though.


If you use multiple source/destination interfaces or the any interface, policies cannot be separated into
sections by interface pairs some would be triplets or more. So instead, policies are then always
displayed in a single list. It is ordered primarily by the policy sequence number.
To help you remember the use of each interface, you can give them aliases. For example, you could call
port1 WAN. This can help to make your list of policies easier to comprehend.

FortiGate I Student Guide

169

DO NOT REPRINT
FORTINET

Firewall Policies

Remember that we mentioned that only the first matching policy applies?
Moving your policies into the correct position is important. It affects which traffic is blocked or allowed.
In the applicable interface pairs section, FortiGate will look for a matching policy, beginning at the top. So
usually, you should put more specific policies at the top. Otherwise, more general policies will match the
traffic first, and your more granular policies will never be applied.
Here, were moving a policy that only matches Windows SMB traffic above the more general accept
everything from everywhere policy. Otherwise, FortiGate would always apply the first matching policy
the accept everything policy and never reach the block SMB policy.
How does FortiGate determine if a packet matches a policy? Lets look at that next.

FortiGate I Student Guide

170

DO NOT REPRINT
FORTINET

Firewall Policies

Each policy matches traffic and applies security by referring to objects such as addresses and profiles that
youve defined.
What about other firewall policy types? Do IPv6 policies exist? Yes. And they use slightly different objects
that are relevant to their type. In this lesson, were discussing IPv4 firewall policies and SSL/SSH
inspection. They are the most common use case.

FortiGate I Student Guide

171

DO NOT REPRINT
FORTINET

Firewall Policies

To begin describing how FortiGate finds a policy for each packet, lets start with the interface pairs. We
showed them in section view.
Packets arrive on an ingress interface; routing determines the egress. Both interfaces must match the
policys interface criteria in order for it to be a successful match. In each policy, you must select both a
source and destination interface, even it is any.
So if a packet arrives on port4, but you only have policies for between port1 WAN ingress and port2 DMZ,
for example, the packet would not match your policies and therefore be dropped due to the implicit deny
policy at the end of the list, even if the packet did match the egress port of any.
Interfaces may be grouped into logical zones. For example, you could group port7 to port10 as a LAN
zone. This generally simplifies policy configuration, except that an interface in a zone cannot be referenced
individually. So if you must subdivide a zone, dont. Instead, select multiple source and destination
interfaces in the firewall policy.

FortiGate I Student Guide

172

DO NOT REPRINT
FORTINET

Firewall Policies

The next match criteria that FortiGate will consider is the packets source.
In each firewall policy, you therefore must select a source address object. Optionally, you can refine your
definition of the source by also selecting a user, group and/or a specific device. If you organization allows
BYOD (that is, Bring Your Own Device), then a combination of all three provides a much more granular
match.
In earlier releases of FortiOS 5, sub-policies were used for authentication (also called identity) and device
identification. Also, it was either-or: you could not use both types in the same rule. In 5.2, you can now
use both user and device definitions together, in the same firewall policy.

FortiGate I Student Guide

173

DO NOT REPRINT
FORTINET

Firewall Policies

Using Source Device Type causes the FortiGate to enable device identification on the source interface(s)
of that policy.

FortiGate I Student Guide

174

DO NOT REPRINT
FORTINET

Firewall Policies

There are two device identification techniques: agentless and agent-based.


Agentless uses traffic from the device: the MAC address OUI, TCP fingerprint, and HTTP User-Agent:
header. Devices are indexed by their MAC address.
Agent-based uses FortiClient. FortiClient sends information to FortiGate, and the device tracked by its
FortiClient UID.

FortiGate I Student Guide

175

DO NOT REPRINT
FORTINET

Firewall Policies

Device Definitions shows the list of detected devices. You can also define static entries.
Detected devices are saved to the FortiGates flash. Therefore on restart, the FortiGate knows devices
already identified, and does not have to re-categorize each device.
The user displayed in the device information is just a tag, it cannot be used as a means of identity for an
authentication policy.

FortiGate I Student Guide

176

DO NOT REPRINT
FORTINET

Firewall Policies

The CLI command diag user device list shows a more detailed listing than User & Devices > Device >
Device Definitions, including the detection method.

FortiGate I Student Guide

177

DO NOT REPRINT
FORTINET

Firewall Policies

FortiClient devices have a unique id which can be used as an index for the device. This is instead of the
MAC address, which may be problematic when a device has multiple MAC addresses (such as servers or
virtual machines), or where there is no Layer 2 visibility of that device.

FortiGate I Student Guide

178

DO NOT REPRINT
FORTINET

Firewall Policies

FortiGate can control FortiClient settings via the profile and registration.

FortiGate I Student Guide

179

DO NOT REPRINT
FORTINET

Firewall Policies

License Information on the FortiGate GUI dashboard shows the registered devices. Windows and Mac
FortiClient installers are also available from this dashboard widget.

FortiGate I Student Guide

180

DO NOT REPRINT
FORTINET

Firewall Policies

Once a FortiClient registers itself with a FortiGate, youll be able to see its UID on the endpoint control
device list.

FortiGate I Student Guide

181

DO NOT REPRINT
FORTINET

Firewall Policies

You may configure the default FortiClient profile or add additional profiles. New profiles applied to devices
or users override the default.

FortiGate I Student Guide

182

DO NOT REPRINT
FORTINET

Firewall Policies

Once youve configured the settings, FortiGate will send them back to FortiClient.

FortiGate I Student Guide

183

DO NOT REPRINT
FORTINET

Firewall Policies

FortiClient is the agent-based approach for source device type.

FortiGate I Student Guide

184

DO NOT REPRINT
FORTINET

Firewall Policies

To reduce the total number of firewall policies in RAM, and simplify administration, you can group service
and address objects, then reference that group in the firewall policy, instead of selecting multiple objects
each time or making multiple policies.
You can also group virtual IPs.

FortiGate I Student Guide

185

DO NOT REPRINT
FORTINET

Firewall Policies

Here, all three source selectors identify the user group, device type, and specific subnet. This would not
have been possible in previous firmware versions.
Remember, user and device are optional objects. They are used here so that the policy is more specific. If
you wanted the policy to match more traffic, you could leave them undefined.

FortiGate I Student Guide

186

DO NOT REPRINT
FORTINET

Firewall Policies

In earlier releases of FortiOS 5, if traffic matched an identity sub-policy, by default, FortiGate simply
blocked traffic that failed authentication. It would not fall through to try the next authentication rule unless
you had explicitly enabled the option fall-through-unauthenticated.
But in this release, FortiGate uses the fall-through behavior by default.

FortiGate I Student Guide

187

DO NOT REPRINT
FORTINET

Firewall Policies

Like the packets source, FortiGate also checks the destination address for a match.
Address objects may be a host name, IP subnet or range. If you enter an FQDN as the address object,
make sure that youve configured your FortiGate with DNS settings. FortiGate uses DNS to resolve those
host names to IP addresses, which are what actually appear in the IP header.
Geographic addresses, which are groups or ranges of addresses allocated to a country, may be selected
instead. These objects are updated via FortiGuard.

FortiGate I Student Guide

188

DO NOT REPRINT
FORTINET

Firewall Policies

Schedules add a time element to the policy. For example, a policy allowing backup software may activate
at night, or a remote address may be allowed for testing purposes and a schedule provides a test window.

FortiGate I Student Guide

189

DO NOT REPRINT
FORTINET

Firewall Policies

Another criterion that FortiGate uses to match policies is the packets service.
At the IP layer, protocol numbers (for TCP, UDP, SCTP, etc.) and source and destination ports together
define each network service. Generally, only a destination port (that is, the servers listening port) is
defined. Some legacy applications may use a specific source port, but in most modern applications, the
source port is randomly determined at transmission time, and therefore is not a reliable way to define the
service.
For example, the predefined service object named HTTP is TCP destination port 80; HTTPS is TCP
destination port 443. However, the source ports are ephemeral, and therefore not defined.

FortiGate I Student Guide

190

DO NOT REPRINT
FORTINET

Firewall Policies

Weve just shown several component objects that can be re-used as you make policies. What if you want
to delete an object?
If its being used, you cant. First, you must reconfigure the objects that are currently using it. The GUI
provides a simple way to find out where in the FortiGates configuration an object is being referenced. See
the numbers in the Ref. column? They are the number of places where that object is being used. The
number is actually a link, so if you click it, you can see which objects use it.

FortiGate I Student Guide

191

DO NOT REPRINT
FORTINET

Firewall Policies

Weve just shown how policies are matched. Lets look a little beyond that now, to slightly before policies,
and to the scans they can use, as well as packet egress.
What happens when a packet first arrives on a FortiGate network interface?
Step 1 is packet ingress.
If a Denial of Service sensor is selected in the policy, it takes effect. Because its applied so early, DoS
packets dont receive other scans, and therefore dont consume unnecessary CPU or RAM.
At the IP layer, the packets CRC is checked for a match with the CRC in the header to make sure that
the packet wasnt corrupted in transmission.
IPSec session-related packets are sent to either the kernel or hardware for payload decryption.
Destination NAT is applied before routing.
If this is a new session, or routing information has changed, FortiGate will make a routing lookup.

FortiGate I Student Guide

192

DO NOT REPRINT
FORTINET

Firewall Policies

Step 2 is stateful inspection.


Is this traffic destined for the FortiGate itself, such as the administrative GUI, SSL VPN, authentication,
DNS quers, or FortiGuard?
Is this traffic that should be forwarded by a policys established session, or that should be checked for a
policy match?
Does the traffic require a session helper to open dynamic ports, rewrite addresses in application layer
headers, etc.?

FortiGate I Student Guide

193

DO NOT REPRINT
FORTINET

Firewall Policies

Step 3 is content inspection. FortiGate applies the security profiles that you selected in the policy here.
There are two mains types of content inspection:
Flow-based
Proxy-based
The order of inspection is important. The next step applies only if traffic is not blocked by the previous step.

FortiGate I Student Guide

194

DO NOT REPRINT
FORTINET

Firewall Policies

Step 4 is packet egress.


Should FortiGate route the packet to an IPsec VPN virtual interface, before it is rerouted to a physical
interface?
Should FortiGate apply source NAT?
Which interface should the packet depart from?

FortiGate I Student Guide

195

DO NOT REPRINT
FORTINET

Firewall Policies

If you enable session starts, FortiGate will create a traffic log when the session begins. But remember that
increasing logging decreases performance. So use it only where necessary.
Once a firewall policy closes an IP session, if you have enabled logging in the policy, FortiGate will
generate traffic logs.
During the session, if a security profile detects a violation, FortiGate will record the attack log immediately.
To reduce the amount of log messages generated and improve performance, you can enable a session
table entry of dropped traffic. This option is in the CLI, and is called ses-denied-traffic.
If the GUI option session starts is not displayed, your FortiGate device does not have internal storage. This
option is in the CLI, regardless of internal storage, and is called set logtraffic-start enable.

FortiGate I Student Guide

196

DO NOT REPRINT
FORTINET

Firewall Policies

Once the first packet assuming it is not dropped establishes an IP session, FortiGate enters it in its
session table. If subsequent packets are received before the session times out, hashing function lookups
up the applicable policy for scans or NAT that it should apply to incoming packets.
You can use the monitor section in order to determine how much traffic is matching each firewall policy.

FortiGate I Student Guide

197

DO NOT REPRINT
FORTINET

Firewall Policies

The session table can also be viewed from the CLI.


Firewall performance of connections per session and maximum number of connections are indicated by
the session table. But keep in mind that if your FortiGate contains FortiASIC NP chips designed to
accelerate processing, without loading the CPU, this may not be completely accurate. The session table
reflects what is known to and processed by the CPU.

FortiGate I Student Guide

198

DO NOT REPRINT
FORTINET

Firewall Policies

Since the session table has a finite amount of RAM that it can use on your FortiGate, adjusting the session
time to live (TTL) can improve performance. There are global default timers, session state timers, and
timers configurable in firewall objects.

FortiGate I Student Guide

199

DO NOT REPRINT
FORTINET

Firewall Policies

In this example, you can see the session TTL, which reflects how long FortiGate can receive no packets
until it will remove the session from its table.
Proto_state for TCP is taken from its state machine, which well talk about next.
Traffic shaping manages your bandwidth. Traffic counters are the overall counters for the session, and
determine how much data was sent and received.
NAT actions are also tracked.

FortiGate I Student Guide

200

DO NOT REPRINT
FORTINET

Firewall Policies

In the previous slide, remember that the session table contained a number that indicated the connections
current TCP state. These are the states of the TCP state machine. They are single digit values, but
proto_state is always shown as two digits. This is because when proxy based inspection is used, which is
discussed later, two connections are establish with the proxy: one to the client, and one to the server. If
there are too many connections in the SYN state for long periods of time, this indicates a SYN flood, which
you can mitigate with DoS policies.
UDP is a stateless protocol. So it doesnt technically have states like TCP. However, the session table
does use the state column to track unidirectional UDP as state 0, and bidirectional USP as state 1.

FortiGate I Student Guide

201

DO NOT REPRINT
FORTINET

Firewall Policies

Before looking at the session table, first build a filter. To look at our test connection you can filter on dst
10.200.1.254 and dport 80.

FortiGate I Student Guide

202

DO NOT REPRINT
FORTINET

Firewall Policies

Here we see the corresponding session table entry. Here you can see the routing and NAT actions that
apply to the traffic.

FortiGate I Student Guide

203

DO NOT REPRINT
FORTINET

Firewall Policies

In addition to security scans, firewall policies also determine what network address (NAT) or port address
translation (PAT) to apply to each packet.
NAT and PAT, also known as NAPT, translate internal, typically private, IP addresses, to external, typically
public or Internet, IP addresses.
In FortiOS, NAT and traffic forwarding are configured in the same firewall policy. However, diagnostics
clearly show NAT and forwarding as separate actions. The NAT option in a firewall policy, and IP Pools,
are source NAT settings and objects. Virtual IPs are destination NAT objects.

FortiGate I Student Guide

204

DO NOT REPRINT
FORTINET

Firewall Policies

The default source NAT option uses the egress interface address. This is a many-to-one NAT. In other
words, port address translation is used and connections are tracked using the original source address and
source port combinations, and allocated source port. This is the same behavior as the overload IP Pool
type, discussed later.
Optionally, you may select fixed port in which case the source port translation is disabled. With fixed port,
if two or more connections require the same source port for a single IP address, only one connection can
establish.

FortiGate I Student Guide

205

DO NOT REPRINT
FORTINET

Firewall Policies

If you use an IP pool, the source address is translated to an address from that pool rather than the egress
interface address. The larger the number of addresses in the pool, the greater the number of connections
can be supported.
The default IP pool type is overload, here there is a many-to-one/few relationship and port translation is
used.

FortiGate I Student Guide

206

DO NOT REPRINT
FORTINET

Firewall Policies

One-to-one differs in the sense that there is a single mapping of an internal address to external address.
Port address translation is not required in this case. See the circled example showing the same source
ports on ingress and egress?
Mappings are not fixed. They are allocated on a first-come first-serve basis. If there are no more
addresses available, a connection will be refused as shown in the debug flow.

FortiGate I Student Guide

207

DO NOT REPRINT
FORTINET

Firewall Policies

This example uses a fixed port range IP pool.


The internal address range 10.0.1.10-10.0.1.11 maps to the external address range 10.200.1.7-10.200.1.8.
This configuration provides an explicit relationship between internal and external ranges, and disables port
address translation.

FortiGate I Student Guide

208

DO NOT REPRINT
FORTINET

Firewall Policies

These two CLI outputs illustrate the behavior difference between the port block allocation type, and the
default overload type.
Using hping, a rogue client generates many SYN packets per second. In the first example, the port block
allocation type limits the client to 64 connections for that IP pool. Other users will not be impacted by the
rogue client.
In the second example, the overload type imposes no limits, and the rogue client uses many more
connections in the session table. Other users will now be impacted.

FortiGate I Student Guide

209

DO NOT REPRINT
FORTINET

Firewall Policies

Virtual IPs (VIPs) are destination NAT objects. For sessions matching a VIP, the destination address is
translated: usually a public Internet address is translated to a servers private network address. Select
VIPs in the firewall policys destination address field.
The default VIP type is static NAT. This is a one-to-one mapping which applies for incoming and outgoing
connections. That is, an outgoing policy with NAT enabled would use the VIP address instead of the
egress interface address. This behavior, however, can be overridden by use of an IP pool.
The static NAT VIP can be restricted to forward only certain ports. For example, connections to the
external IP on port 8080 map to the internal IP on port 80.
From the CLI, you can select the NAT type to load-balance and server-load-balance. Plain load balancing
distributes connections from an external IP address to multiple internal addresses. The later builds on that
mechanism, using a virtual server and real servers, and provides session persistence and server
availability check mechanisms.
VIPs should be routable to the external facing (ingress) interface. FortiOS responds to ARP requests for
VIP, and IP Pool, objects. ARP responses are configurable.

FortiGate I Student Guide

210

DO NOT REPRINT
FORTINET

Firewall Policies

In this example, connections to the VIP 200.200.200.222 are NATed to the internal host 10.10.10.10.
Because this is static NAT, all NATed outgoing connections from 10.10.10.10 will use the VIP address in
the packets destination field, not the egress interfaces address.

FortiGate I Student Guide

211

DO NOT REPRINT
FORTINET

Firewall Policies

For feature completeness, you can use a central NAT table. This is disabled by default. To enable it from
the GUI, go to System > Config > Features. In the CLI, use:
conf sys global
set gui-central-nat-table enable
end
In this case, the source NAT action is defined in a central table. If no central NAT rule exists, then the
default action of destination interface address is used.
Central NAT rules also allow control over source port usage.

FortiGate I Student Guide

212

DO NOT REPRINT
FORTINET

Firewall Policies

Some application layer protocols are not fully independent of the lower layers such as the network or
transport layer. If the session helper detects a such a pattern, it may make changes to the application
headers or create expected secondary connections.
A good example is where an application has both a control and a data/media channel, such as with FTP.
Firewalls will typically allow the control channel and rely on the session helpers to handle the dynamic
data/media transmission connections.
When more advanced application tracking and control is required, an Application Layer Gateway (ALG)
can be used. The VoIP profile is an example of an ALG.

FortiGate I Student Guide

213

DO NOT REPRINT
FORTINET

Firewall Policies

In this example, the media recipient address in the SIP SDP payload is modified to reflected the NATed IP
address.

FortiGate I Student Guide

214

DO NOT REPRINT
FORTINET

Firewall Policies

Traffic shaping (also called quality of service (QoS)) can be applied in firewall policy and used to manage
the bandwidth used by each service or application. FortiGate can count the packet rates of ingress and
egress to police traffic. Note that these apply equally to TCP and UDP, and UDP protocols may not
recover as gracefully from packet loss.
ToS/DSCP flags, if used, can map packets to a specific transmission queue. For additional information,
see the Traffic Shaping FortiOS Handbook.

FortiGate I Student Guide

215

DO NOT REPRINT
FORTINET

Firewall Policies

Two types of traffic shapers can be configured: Shared and Per-IP.


A shared shaper applies a total bandwidth to all traffic using that shaper: The scope can be per-policy or
for all policies referencing that shaper.

FortiGate I Student Guide

216

DO NOT REPRINT
FORTINET

Firewall Policies

FortiGates equipped with Network Processors (NP) offload packet handling from the CPU. For each new
IP session, the first packet always goes to the CPU. If the session can be offloaded to an available NP,
the kernel sends session information to the NP. All subsequent packets in that session are forwarded by
the NP and not the CPU, so their transmission is accelerated. When the last packet is sent or received,
such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU, which handles tear down.
Non-eligible sessions remain on the CPU. Typically, this includes policies that have a security profile
enabled. IP fragments are also non-eligible.
diagnose CLI commands, such as diag packet sniff and diag debug flow, run on the CPU. They will
not show packets handled by an NP. To ensure accurate output for these commands, you can temporarily
disable NPU offload in each firewall policy so that the packets are handled by the CPU and therefore
received by the troubleshooting command.

FortiGate I Student Guide

217

DO NOT REPRINT
FORTINET

Firewall Policies

As a UTM, one of the most important features that a firewall policy can apply is security profiles such as
IPS and antivirus. These profiles inspect each packet in traffic flows where the session has already been
conditionally accepted by the firewall policy.
When inspecting traffic, FortiGate can use one of two methods: flow- or proxy-based. Different security
features are supported by each type.

FortiGate I Student Guide

218

DO NOT REPRINT
FORTINET

Firewall Policies

In proxy-based scans, were typically meaning a transparent proxy. Its called transparent because at the
IP layer, FortiGate is not the destination address, yet FortiGate intercepts the traffic anyway.
In TCP connections, FortiGates proxy generates the SYN ACK to the client and completes the three-way
handshake with the client before creating a second, new connection to the server. If the payload is less
than the oversize limit, the proxy buffers transmitted files/email for inspection before continuing
transmission. The proxy analyzes and may change headers such as HTTP Host: and URI for web
filtering. If a security profile decides to block the connection, the proxy can send a replacement message to
the client.
This adds latency to the overall transmission speed.

FortiGate I Student Guide

219

DO NOT REPRINT
FORTINET

Firewall Policies

Proxy options affect the content inspection proxy. Settings include port numbers, oversize file action and
threshold, and client comforting (where the proxy transmits packets slowly while it continues to buffer and
scan).

FortiGate I Student Guide

220

DO NOT REPRINT
FORTINET

Firewall Policies

How are flow-based scans different?


There is no proxy. If you are familiar with the TCP flow analysis of Wireshark, then that is essentially what
the flow engine sees. Packets are buffered, analyzed, and forwarded as they are received. The same
signatures used for proxy-based techniques apply to flow-based, therefore the detection rate is potentially
the same. Original traffic is unaltered consequently advanced features which modify content, such as safe
search enforcement, are not supported.

FortiGate I Student Guide

221

DO NOT REPRINT
FORTINET

Firewall Policies

A SSL/SSH inspection profile contains settings for decrypting these protocols, which is required in order to
scan their content. Otherwise, viruses could be transmitted via HTTPS or SMTPS, for example, without
detection.
For SSH, inspection allows the FortiGate to intercept connections and control protocol commands. For
example, using an SSH tunnel, a client could port forward any other protocol across an SSH connection.
Using an SSH profile, FortiGate can block the Port-Forward command.

FortiGate I Student Guide

222

DO NOT REPRINT
FORTINET

Firewall Policies

When troubleshooting firewall policies, you need to understand how the traffic should flow.
Typically there are many firewall policies. What is the ingress/egress interface? What is actually happening
to the traffic/application? Is it slow? Is it failing to connect? These can help to define which
troubleshooting steps you need to take.

FortiGate I Student Guide

223

DO NOT REPRINT
FORTINET

Firewall Policies

One of the most fundamental network debugging tools is packet capture, or sniffing.
The syntax of the CLI command is diag sniff packet interface filter level. The interface is the name of the
physical or logical interface; if your account has the access profile super_admin, you can specify the any
interface. The filters are similar to tcpdump on Linux. For level, you can choose from 1 to 6 depending
on your requirements.
The only output options are the payloads in ASCII and Hexadecimal format. To completely decode the
packet and view its content, save the output to a plain text file, convert it to .pcap format, then open it with
Wireshark.

FortiGate I Student Guide

224

DO NOT REPRINT
FORTINET

Firewall Policies

Here are some general examples. Much more can be learnt by reading the man page for tcpdump.

FortiGate I Student Guide

225

DO NOT REPRINT
FORTINET

Firewall Policies

If your model of FortiGate has internal storage, you can capture packets from the GUI. Looking at the
content of the packets can help you to see what is abnormal. The options in the GUI are the same as
those from the CLI. To run a trace, specify a source interface and a filter.
What is the main advantage over the CLI? You can download the output in a file format which can be read
by Wireshark, without having to use a conversion script.
Any packet capture filter should be very specific in order to avoid writing large amounts of data to disk
which will affect performance.

FortiGate I Student Guide

226

DO NOT REPRINT
FORTINET

Firewall Policies

Before, we mentioned that a packet capture does not show why FortiGate may have dropped a packet.
This is the purpose of the packet flow.
This is an example of diag debug flow. The first lines enable it, and enable it to print to console. Next,
the filters define which IP address and port numbers to trace the flow fow; addr implies both source and
destination, and port 80 typically captures HTTP.

FortiGate I Student Guide

227

DO NOT REPRINT
FORTINET

Firewall Policies

Here is output for the previous example, for the three way handshake.
Virtual domain root receives a packet: the protocol is TCP; destination port 80; source IP 10.0.1.10;
destination IP 10.200.1.1. The packet is received on interface port3.
FortiOS identifies this a new session because it does not match any entries in its current session table.
FortiOS performs a routing lookup, as this the first packet of the connection; gateway 10.200.1.254 (in
this case the destination) is found on interface port1.
For the firewall policy match, the interfaces are port3 to port1. The hashing function is used for the
policy lookup.
The connection matches policy ID 1 with source NAT enabled. The source address and port for all
packets in this connection will NAT to 10.200.1.1:39738.
The packet is sent to IPS module. In this case, the IPS security profile is enabled on the firewall policy.
Next, the reply (SYN/ACK) is received. This is identified as reply traffic for an existing connection. For
the first reply packet, a routing lookup occurs.
Next, the client send the ACK. This is identified as belonging to an existing connection.

FortiGate I Student Guide

228

DO NOT REPRINT
FORTINET

Firewall Policies

The retransmission of SYN packets is a good indicator of the firewall blocking a connection. However, we
dont know for sure. We could look at the traffic logs, if logging was enabled for the deny policy. What else
could we use, though? The packet flow.

FortiGate I Student Guide

229

DO NOT REPRINT
FORTINET

Firewall Policies

Combining debug flow and packet sniffer, we now see which firewall action is blocking this traffic.

FortiGate I Student Guide

230

DO NOT REPRINT
FORTINET

Firewall Policies

To review, heres all the topics we covered in this lesson.

FortiGate I Student Guide

231

DO NOT REPRINT
FORTINET

Firewall Authentication

In this lesson, we will show you how to use authentication on the firewall policies of a FortiGate.
Normal firewall policies involve separating devices based on the IP address or subnet involved.
Adding authentication to firewall policies, however, provides a mechanism to make decisions on not
just where the device is, but who is using the device.

FortiGate I Student Guide

232

DO NOT REPRINT
FORTINET

Firewall Authentication

After completing this lesson, you should have a solid understanding of the mechanics of authentication
on a FortiGate as well as some practical skills configuring firewall authentication.

FortiGate I Student Guide

233

DO NOT REPRINT
FORTINET

Firewall Authentication

Traditional firewalling grants network access by authenticating the source IP address only. This is
inadequate, as the firewall cannot determine who is using the device to which it is granting access.
This can pose a security risk.
Authentication allows action based on the user, not just the IP address. In this way, inspection rules
follow individuals across multiple devices.

FortiGate I Student Guide

234

DO NOT REPRINT
FORTINET

Firewall Authentication

Not all available methods of authentication can be used for firewall authentication (for example,
certificate-based authentication cannot be used). You can, however, use local password
authentication, remote password authentication, and two-factor authentication. Two-factor
authentication is slightly different from the others, as it is enabled on top of an existing methodit
cannot be enabled without first configuring one of the other methods.
In this lesson, we will discuss all three available methods.

FortiGate I Student Guide

235

DO NOT REPRINT
FORTINET

Firewall Authentication

The first and simplest method of authentication is Local Password Authentication. User account
information (user name and password) is stored locally on the FortiGate device, so there is no lookup
to an external server for user validation.
Local Password Authentication is the simplest method of authentication to configure, since you only
need access to the FortiGate. Other methods of authentication are more complex, as they involve
configuring the exchange of information between the FortiGate and a remote server as well as
configuring the various users and user groups on the server itself. Troubleshooting in those situations
becomes more complicated, as you need to examine both the FortiGate and external server. With
Local Password Authentication, you need only examine the FortiGate.

FortiGate I Student Guide

236

DO NOT REPRINT
FORTINET

Firewall Authentication

The second method of authentication is remote server authentication (or server-based password
authentication). This includes any form of authentication where the final decision on user credentials is
made by an external servernot the FortiGate. This method is desirable when multiple FortiGate
devices need to authenticate the same users or user groups.
With remote server authentication, user information is sent from the FortiGate to a remote server. The
remote server then evaluates the information it receives and sends a response. The server response
is examined by FortiGate and consults its configuration to deal with the traffic. However, it is the
server not the FortiGate that has final authority over evaluating the user credentials.
With Remote Server Authentication, the FortiGate does not store all (or, in the case of some
configurations, any) of the user information locally.

FortiGate I Student Guide

237

DO NOT REPRINT
FORTINET

Firewall Authentication

Multiple protocols are supported for remote user authentication, including POP3, RADIUS (includes
server authentication and the single sign on method, RSSO), LDAP, and TACACS+.
Single sign on (SSO) methods, such as FSSO, NTML, and RSSO, are also supported for remote user
authentication.

FortiGate I Student Guide

238

DO NOT REPRINT
FORTINET

Firewall Authentication

With a FortiGate, you can implement Single Sign On (SSO) using FSSO and RSSO.
SSO allows a single login event to be used for all authentication and access situations. Without SSO,
if a user logs in to a Wi-Fi network, they will need to log in through a firewall policy separately when
they try to pass traffic. SSO links multiple authentication events to a single event.

FortiGate I Student Guide

239

DO NOT REPRINT
FORTINET

Firewall Authentication

One remote server authentication protocol worth mentioning is POP3, as the login credentials the
remote server accepts is different from most other authentication protocols. Most other authentication
protocols user the user name. POP3 servers, however, authenticate users based on email address.
Some POP3 servers require the full email with domain (user@example.com), others require the suffix
only, while still others accept both formats. This is determined by the configuration of the server itself
and is not a setting on the FortiGate. You can only configure POP3 authentication though the CLI.
You can also use LDAP to validate with email, rather than the user name.

FortiGate I Student Guide

240

DO NOT REPRINT
FORTINET

Firewall Authentication

The third, and final, method of authentication for firewalls which is really just an extension of an
existing authentication method is two-factor authentication.
Traditional user authentication requires your user name plus something you know, such as a
password. The weakness with this traditional method of authentication is that if someone obtains your
user name, they only need your password to compromise your account. Furthermore, since people
tend to use the same password across multiple accounts (some sites with more security vulnerabilities
than others), accounts are vulnerable to attack, regardless of password strength.
Two-factor authentication, on the other hand, requires something you know, such as a password, and
something you have, such as a token. This increases the complexity for an attacker to compromise an
account, as it puts less importance on often-vulnerable passwords. With this authentication method,
security is split between two different options: both a password and a key of some kind.

FortiGate I Student Guide

241

DO NOT REPRINT
FORTINET

Firewall Authentication

One-time passwords are one such method you can use with Two-Factor Authentication as something
you have. FortiToken and FortiToken Mobile (hardware and software respectively) both generate
one-time passwords. The passwords for both FortiToken and FortiToken Mobile generate every 60
seconds.
You can deliver OTP through alternative methods, other than providing the end user with a token or
mobile app. For example, you can send an OTP through email or through an SMS phone message.
It is very important that FortiTokens are synchronized with the FortiGate. Otherwise FortiGate cannot
predict the correct string to use.

FortiGate I Student Guide

242

DO NOT REPRINT
FORTINET

Firewall Authentication

Tokens use a specific algorithm to generate a one-time password. The algorithm consists of:
a seed, which is a randomly-generated number that does not change in time, and
the time, which is obtained from an internal, accurate, clock
Both seed and time go through an algorithm that generates a one-time password on the token. The
OTP has a short life span, usually measured in seconds (60 seconds for a FortiToken, possibly
more/less for other RSA key generators). Once the life span ends, for example after 60 seconds, a
new one generates.
With two-factor authentication using a token, the user must first log in with a static password followed
by the OTP (or code) generated by the token. A validation server (a FortiGate) receives the users
credentials and validates the static password first. The validation server then proceeds to validate the
OTP. It does so by re-generating the same OTP using the seed and system time (which is
synchronized with the one on the token) and comparing it with the one received from the user. If the
static password is valid, and the one-time password matches, the user is successfully authenticated.
Again, both the token and the validation server must use the same seed and have synchronized
system clocks. As such, it is crucial that you configure your FortiGates date/time properly or link it to
an NTP server.

FortiGate I Student Guide

243

DO NOT REPRINT
FORTINET

Firewall Authentication

To use a FortiToken, you must first register it on a FortiGate device. Whether its a hardware or
software token, a serial number is used to provide the FortiGate with details on the initial seed value.
If you are using FortiToken Mobile, each FortiGate (and FortiGate VM) allows for two free activations.
More than this requires the purchase of activations codes for additional mobile tokens from Fortinet.
You cannot register FortiTokens on more than one FortiGate. A deployment like that requires the use
of a central FortiAuthenticator. In that case, the FortiTokens are registered on the FortiAuthenticator
and not the FortiGate. FortiGate uses FortiAuthenticator as its validation server, which allows the
same FortiToken to be used for access on multiple FortiGate devices.

FortiGate I Student Guide

244

DO NOT REPRINT
FORTINET

Firewall Authentication

Not all types of authentication involve prompting the user to enter their login credentials. While active
authentication (used with LDAP, RADIUS, Local Password Authentication, and TACACS+) prompts
the user to manually enter credentials, passive authentication (used with FSSO, RSSO, and NTLM)
determines user information without ever asking the user to log in. Passive authentication, therefore,
occurs transparently for the user.

FortiGate I Student Guide

245

DO NOT REPRINT
FORTINET

Firewall Authentication

Active authentication prompts the user based on:


the protocol of the traffic they use to try and pass through a firewall, and
the firewall policy itself
The policy must specify the authentication protocols allowed, such as HTTP/S, FTP, and Telnet. If the
policy that has authentication enabled does not allow at least one of the supported protocols for
obtaining user credentials, the user will not be able to authenticate.
Passive authentication determines the user identity behind the scenes and does not require any
specific services to be allowed within the policy.

FortiGate I Student Guide

246

DO NOT REPRINT
FORTINET

Firewall Authentication

You can enable both active and passive authentication. If both active and passive authentication are
enabled and a users credentials can be determined through passive means, then the user will never
receive a login prompt, regardless of the order of any firewall policies. This is because there is no
need to prompt the user for active authentication credentials when passive authentication can
determine who they are. When active and passive authentication methods are combined, active
authentication is intended to be used as a backup only for when passive authentication fails.
No one method of authentication is considered more important than another. The first method that can
determine a user name for any traffic is the deciding factor. Ultimately that determines how the traffic
is handled.

FortiGate I Student Guide

247

DO NOT REPRINT
FORTINET

Firewall Authentication

A firewall policy defines and matches traffic going from the source to the destination.
An IP address is required as part of the policy configuration for the source and destination. User, user
group, and device information can be enabled as well. If enabled, they become part of the source
definition for that policy. Accordingly, a source is comprised of source address(es)+source
user(s)/group(s)+source device(s).

FortiGate I Student Guide

248

DO NOT REPRINT
FORTINET

Firewall Authentication

No service (with the exception of DNS) is allowed through the firewall policy prior to successful user
authentication. DNS is allowed because it is a base protocol and will most likely be required to initially
see proper authentication protocol traffic. Hostname resolution is almost always a requirement for any
protocol. However, the DNS service must still be defined as allowed within the policy in order for it to
pass.
In the following example, Policy #1 allows users to use external DNS servers on the other side of
port2 in order to resolve host names, prior to successful authentication. Therefore, the DNS traffic is
allowed through even before authentication happens. It is also allowed if authentication is
unsuccessful, as users need to be able to try to authenticate again. Any service that includes DNS
would function the same way, like the default ALL service.
Policy #2, on the other hand, never allows DNS traffic, even after successful authentication. The
HTTP service is TCP port 80 and does not include DNS (UDP port 53).

FortiGate I Student Guide

249

DO NOT REPRINT
FORTINET

Firewall Authentication

In this example, assuming active authentication is used, any initial traffic from the 10.10.1.0/24 subnet
will not match policy #1. Policy 1 looks at the IP as well as the user information, and since the user
has not authenticated there is no match.
Next, a check is made against policy #2. There is a match and traffic is allowed with no need to
authenticate.
When only active authentication is used, if all possible policies that could match the source IP have
authentication enabled, then the user will receive a login prompt (assuming they use an acceptable
login protocol). In other words, if policy #2 also had authentication enabled, the users would receive
login prompts.
If passive authentication is used and it can successfully obtain user details, then traffic form
10.10.1.0/24 with users that belong to the guest-group will apply to policy #1 even though policy #2
does not have authentication enabled.

FortiGate I Student Guide

250

DO NOT REPRINT
FORTINET

Firewall Authentication

If you want all users connecting to the network to authenticate through active authentication, you can
enable the captive portal. With captive portal, network interfaces perform authentication at the
interface levelregardless of the firewall policy that allows it or the port that it ultimately leaves by
(authentication being enabled or disabled on the policy is not a factor). Essentially, a captive portal is a
convenient way to authenticate web users on wired or Wi-Fi networks through an HTML form that
requests the users name and password. You can host a captive portal on a FortiGate device or an
external authentication server.
The captive portal setting must be enabled on the Ingress interface of the traffic. Captive portals are
not compatible with interfaces in DHCP mode.

FortiGate I Student Guide

251

DO NOT REPRINT
FORTINET

Firewall Authentication

Using the previous example, with captive portal enabled on port 1 all traffic from behind port 1 would
receive a login prompt, not just the users in the 10.10.1.0/24 subnet or traffic that may be going
somewhere other then port 2.
Passive authentication never requires a captive portal, since it obtains user details differently. Only
active authentication methods can use the captive portal feature (depending on the configuration).

FortiGate I Student Guide

252

DO NOT REPRINT
FORTINET

Firewall Authentication

A firewall policy can have the captive portal suppressed. When suppressed, traffic that matches the
source and destination are not presented with the captive portal page. The captive-portal-exempt
setting must be enabled in the CLI for each firewall policy and only applies to traffic that matches that
policy. The security-exempt-list CLI setting, however, applies those sources at all times, regardless of
the firewall policy settings.
Depending on the configuration, one option or the other usually results in simplifying your
configuration more. Use the option that best fits the requirements of the situation and results in less
confusion or ongoing maintenance.
You can create and configure security exempt lists only from the CLI. However, you can enable them
through the GUI settings.

FortiGate I Student Guide

253

DO NOT REPRINT
FORTINET

Firewall Authentication

You can enable disclaimers to be used in conjunction with captive portal, if desired. Disclaimers are
not considered authentication or a captive portal, but the two tend to go hand-in-hand. With the
authentication and disclaimer setting, the disclaimer appears before the user authenticates and acts
as a reminder of the rules for the network. Under this setting, users must accept the terms in the
disclaimer in order to proceed with the authentication process.
Neither a security exemption list nor a captive portal exemption on a firewall can bypass a disclaimer.

FortiGate I Student Guide

254

DO NOT REPRINT
FORTINET

Firewall Authentication

Any time FortiGate is required to jump into the traffic stream (with authentication pages or disclaimers
for example), you can modify the particulars of the block page through the GUI.
Editing HTML-related block message requires knowledge of HTML, to ensure proper positioning and
look of the page. The default layout is the Simple View, which hides most of the replacement
messages. Use Extended View to show all editable replacement messages.

FortiGate I Student Guide

255

DO NOT REPRINT
FORTINET

Firewall Authentication

An authentication timeout ensures users do not authenticate and then stay in memory indefinitely. If
users stay in memory forever, it would eventually lead to memory exhaustion.
There are three options for timeout behavior:

IDLE Looks at the packets from the hosts IP. If there are no packets generated by the host device
in the configured timeframe then the user is logged out.
HARD Time is an absolute value. Regardless of the users behavior, the timer starts as soon as
the user authenticates and expires after the configured value.
NEW SESSION Even if traffic is being generated on existing communications channels, the
authentication expires if no new sessions are created through the firewall from the host device,
within the configured timeout.

Choose the type of timeout that best suits the needs of authentication in your environment.

FortiGate I Student Guide

256

DO NOT REPRINT
FORTINET

Firewall Authentication

Weve mentioned users and user groups several times in this lesson. Now, well take a closer look at
how both users and user groups are used by FortiGate for firewall authentication. Before that,
however, well give a short refresher on how you create users and groups on an external server, which
is useful if Remote Password Authentication is used as a method of authentication.

FortiGate I Student Guide

257

DO NOT REPRINT
FORTINET

Firewall Authentication

LDAP is a standard remote authentication protocol currently supported by the FortiGate device. The
behavior of LDAP is defined through multiple RFCs.
LDAP is an application protocol for distributed directory information services. It can also be viewed as
a database that contains user accounts, among other things. The structure of this database is similar
to a tree that contains entries (or objects) in each branch. Each of these objects has a unique
identifier, which is called the distinguished name (or DN). The objects also have attributes, and each
attribute has a name and one or more values. This structure is defined in what is called a directory
schema.

FortiGate I Student Guide

258

DO NOT REPRINT
FORTINET

Firewall Authentication

The hierarchy of an LDAP schema is not required to hold any resemblance to the organization.
However, generally the name conventions used and the group structure match with the name of the
company and corporate hierarchy very closely.

FortiGate I Student Guide

259

DO NOT REPRINT
FORTINET

Firewall Authentication

On the top, we have the root or DC. This is where an LDAP tree always starts, with any schema.
After that the groups are defined using C, OU, and/or O. The exact behavior and options used depend
on the schema and what exactly is being defined. At the end of the tree is the UID, which contains
specific details about a particular user.
The full path to find a user contains all of the information necessary in order to locate a user within the
tree structure. This means you will need the DN (somewhere to start), the group information (C, OU,
O), and the UID.

FortiGate I Student Guide

260

DO NOT REPRINT
FORTINET

Firewall Authentication

What you enter for the LDAP configuration depends heavily on the servers schema and security
settings. Windows Active Directory is very common.
Common Name Identifier is the attribute name to look up in order to find the user name. Some
schemas will call this UID, Active Directory calls it sAMAccountName or sometimes cn.
Distinguished Name identifies the top of the tree to look in. Generally this will be a DC value.
The Bind Type setting will vary, depending on the security settings of the LDAP server. Normally,
this will need to be Regular, with the credentials being for a user, that is authorized perform LDAP
queries.

FortiGate I Student Guide

261

DO NOT REPRINT
FORTINET

Firewall Authentication

To see if a users credentials can successfully authenticate or not, you must use the CLI or enable to
authentication on a firewall policy. The GUI will only test if the initial LDAP connection to the server is
successful or not.
Because the GUI only tests success/failure, either look at the server logs or run a packet sniff to see
both sides of the LDAP communications so you can find out exactly what is happening. Exact output
will vary depending the Hierarchy of the LDAP server that was queried.
diagnose test authserver can be used to test most (not all) methods of authentication.

FortiGate I Student Guide

262

DO NOT REPRINT
FORTINET

Firewall Authentication

RADIUS doesnt have the same kind of behavior as LDAP, as there is no tree structure to consider.
Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent
from the FortiGate to the RADIUS server. Valid responses to this are Access-Accept and AccessReject (yes and no effectively).
If Two-Factor Authentication is enabled on the server, it will come back with an Access-Challenge
message, where it is essentially looking for more information. Any other response from the server is
not considered to be a valid response.

FortiGate I Student Guide

263

DO NOT REPRINT
FORTINET

Firewall Authentication

RADIUS configuration on a FortiGate is straightforward.


The servers location needs to be defined along with the secret that was set up in order for the server
to allow remote queries. Backup servers (with separate secrets) can be defined in case the primary
server fails.

FortiGate I Student Guide

264

DO NOT REPRINT
FORTINET

Firewall Authentication

Testing RADIUS is much the same as LDAP. The GUI can test the connection to the server, but not a
user login. Make sure that authentication is operational prior to implementing it on any of your firewall
policies.
Like LDAP, it reports success, failure, and group membership details depending on the servers
response. Deeper troubleshooting requires server access.

FortiGate I Student Guide

265

DO NOT REPRINT
FORTINET

Firewall Authentication

Now that weve examined how to create users on the LDAP or RADIUS server, lets look at how to
create the firewall users and groups on the FortiGate. This is the first step to authentication: creating
firewall users and groups.
You can create firewall authentication users through the Users & Devices > User > User Definition
page of the FortiGate GUI. A wizards walks you through the creation process.
You are required to define the type of user (Local or Remote) and the user credentials. For remote
authentication, you must select the server to authenticate as well. There are other optional settings
available, such as adding contact information , enabling Two-Factor Authentication, or adding the user
to a User Group.

FortiGate I Student Guide

266

DO NOT REPRINT
FORTINET

Firewall Authentication

Once youve made user accounts, you can assign firewall policies to them. But rather than assign
firewall policies to act on individual users, you can put users into groups with policies making
decisions based on the group itself. These groups are known as user groups. By assigning individual
users to the appropriate user groups, you can control access to network resources. You can define
both local and remote user groups on a FortiGate device. There are four user group types:

Firewall
Fortinet Single Sign On (FSSO)
Guest, and
RADIUS Single Sign On (RSSO)

The firewall user groups do not need to match any sort of group that may already exist on a server.
The firewall user groups exist solely to make configuration of firewall policies easier.
Note that most authentication types have the option to make decisions based on the individual user,
rather than just user groups.

FortiGate I Student Guide

267

DO NOT REPRINT
FORTINET

Firewall Authentication

As mentioned, one of the four user group types is Guest. Guest groups are user groups that
exclusively contain temporary user accounts (the whole account, not just the password), and are most
commonly used in wireless networks. Guest accounts expire after a predetermined amount of time.
You can automatically create guest users on the fly, or manual create them through an admin user.
You can create special admin users that only have access to create and manage guest user accounts.

FortiGate I Student Guide

268

DO NOT REPRINT
FORTINET

Firewall Authentication

You can configure user groups through the FortiGate GUI under User & Device > User > User Group.
You must specify the user group type, the local users that belong to the group, and the remote
authentication server(s) that contain the users that belong to the user group.
User groups simplify your configuration if you want to treat specific users in the same way. For
example, if you want to provide all Accountants with access to the same network resources. If you
want to treat all users differently, you would need to add all users to firewall policies separately.

FortiGate I Student Guide

269

DO NOT REPRINT
FORTINET

Firewall Authentication

Once youve created firewall users and groups, you can move on to configuring the policies.
IP information is part of the source definition for a policy in combination with any configured user and
groups specified. Just because a user is in a group does not mean they can only be referenced by
using the group.

FortiGate I Student Guide

270

DO NOT REPRINT
FORTINET

Firewall Authentication

After creating firewall policies, you can monitor access of your firewall users. To keep track of who is
authenticated through the firewall policies there is a User Monitor section in the GUI located under
User & Device > Monitor > Firewall.
The User Monitor screen displays who has authenticated through the firewall policies of your
FortiGate device at any given moment. It does not include administrators, because they are not
authenticating through firewall policies that allow traffic they are logging directly into the FortiGate.
This feature also allows you to de-authenticate a user or multiple users simultaneously.

FortiGate I Student Guide

271

DO NOT REPRINT
FORTINET

Firewall Authentication

There are no events logged for successful or failed login attempts through a firewall policy.
Users that log in successfully show up in the monitor. Those that do not are prevented from passing
through the firewall.
Once a user is successfully logged in, all further logs generated from the host automatically begin to
contain their user information. Default reports and charts are set up so that the source adjusts to be
the user or the IP if there is no authentication.
You can find the list of possible log events that can show up in the Log & Report > Event Log > User
section in the Log Message Reference Guide on the doc.fortinet.com website.

FortiGate I Student Guide

272

DO NOT REPRINT
FORTINET

Firewall Authentication

In this lesson, we discussed:

Authentication, what it is and how it works


Three methods of authentication, specifically Local Password Authentication, Remote Password
Authentication, and Two-Factor Authentication
The different authentication protocols
One-time passwords and tokens
Authentication types (active and passive)
Authentication policies
Captive Portal and disclaimers
Authentication timeout
Users/user groups, both in regards to an external LDAP or RADIUS server and through the
FortiGate, and
How to monitor firewall users

FortiGate I Student Guide

273

DO NOT REPRINT
FORTINET

SSL VPN

In this lesson, we will show you how to use and configure SSL VPN. SSL VPNs are an easy way of
providing access to your private network for remote users.

FortiGate I Student Guide

274

DO NOT REPRINT
FORTINET

SSL VPN

After completing this lesson, you should have these practical skills that you can use to configure an
SSL VPN for your organization.

FortiGate I Student Guide

275

DO NOT REPRINT
FORTINET

SSL VPN

A virtual private network enables users to remotely and securely access private resources as if they
were locally connected.
It is generally used to transmit private information safely between LANs separated by an untrusted
public network such as the Internet, so it is not only implemented for providing access to mobile users,
but also for interconnecting geographically disperse networks across the Internet. The user data
travelling inside a VPN tunnel is encrypted, so it cannot be intercepted by unauthorized users. VPNs
also use security methods to ensure that only authorized users can establish the VPN and access the
private networks resources.

FortiGate I Student Guide

276

DO NOT REPRINT
FORTINET

SSL VPN

The most common type of VPNs are SSL VPN and IPsec VPN.
SSL VPNs are commonly used to secure web transactions. Clients connect to a web portal and log in.
It is essentially meant to connect a PC to a private network. This approach is simple in that users only
need a regular web browser to connect and are not usually required to install any kind of special
software or go through a complex setup. They simply need to access an HTTPS web site and log in.
This makes SSL VPN an ideal solution for users who are either not technically skilled, or who need to
connect from public computers.
IPsec is also used to connect a PC to a private network. However, there are some important
differences. Firstly, SSL VPN access is through a web portal, whereas IPsec is not. Finally, IPsec is a
standard protocol supported by most vendors, so a VPN session can be established not only between
two FortiGate devices, but also between different vendor devices. By comparison, SSL VPN can only
be established between a client PC and an end device.
In this lesson, we are going to focus on SSL VPN.

FortiGate I Student Guide

277

DO NOT REPRINT
FORTINET

SSL VPN

Web-only mode is used to connect using HTTPS to the FortiGate device from any browser. Once
connected, users need credentials in order to pass an authentication check. Once authenticated,
users are presented with a portal that contains possible resources for them to access. Different users
can have different portals with different resources and access permissions.
One of the widgets contains links to all or some of the resources available for the user to access.
Another widget allows users to type the URL or IP address of the server they want to reach. A Webonly SSL VPN user makes use of these two widgets to access the internal network. The main
advantage of Web-only mode is that it is clientless. This means the user is not required to install any
client VPN software to obtain access. However, Web-only mode has two main disadvantages: First,
all interaction with the internal network must be done from the browser exclusively (through the web
portal). External network applications running on the users PC cannot send data across the VPN.
Second, a limited number of protocols are supported, such as HTTP/HTTPS, FTP, RDP, SMB/CIFS,
SSH, Telnet, VNC, Ping.

FortiGate I Student Guide

278

DO NOT REPRINT
FORTINET

SSL VPN

Tunnel mode access begins in much the same way as Web-only mode. Users must connect to the
FortiGate through HTTPS and successfully authenticate. They are then presented with a web page
that has various options, including a widget to activate tunnel mode.
By clicking Connect, a tunnel is established between the PC and the FortiGate device. Inside the
tunnel, IP traffic is encapsulated over HTTPS and sent to the other side. The FortiGate device
receives the traffic and de-encapsulates the IP packets, forwarding them to the private network as if
they originated from the inside. The main advantage of Tunnel mode over Web-only mode is that,
once the VPN is established, any IP network application running on the client can send traffic across
the tunnel. The main disadvantage is that this requires the installation of a VPN software client, which
requires administrative privileges. If the VPN client is not installed when the user accesses the SSL
VPN web portal, the Tunnel Mode widget offers the option to download and install it.

FortiGate I Student Guide

279

DO NOT REPRINT
FORTINET

SSL VPN

Tunnel mode can operate in two different ways: with and without Split Tunneling enabled.
When Split Tunneling is disabled, all IP traffic generated by the clients PC (including Internet traffic) is
routed across the SSL tunnel to the FortiGate. This sets up the FortiGate as the default gateway for
the host. You can use this method in order to apply UTM features to the traffic on those SSL VPN
clients or to monitor or restrict internet access. This adds more latency and bandwidth usage.
When Split Tunneling is enabled, only traffic destined for the private network(s) behind the FortiGate
gets routed across the tunnel.

FortiGate I Student Guide

280

DO NOT REPRINT
FORTINET

SSL VPN

There are two methods to connect to an SSL VPN tunnel. The first method is through a browser. The
limitation is that the browser window or tab with the SSL VPN portal must remain open in order to
keep the tunnel up. The second method is through a standalone SSL VPN client. Using an SSL VPN
client means the browser is not necessary to maintain the tunnel, but it also means you have to install
an SSL VPN client.
When the SSL VPN client is installed, a virtual network adapter called fortissl is added to the users
PC. This virtual adapter dynamically receives an IP address from the FortiGate device each time a
new VPN is established. All packets sent by the client use this virtual IP address as the source
address.

FortiGate I Student Guide

281

DO NOT REPRINT
FORTINET

SSL VPN

Because tunnel mode requires installing a virtual network adapter, which requires administrative level
access to accomplish, it is not always a feasible method to use. For those situations where tunnel
mode isnt practical and web-only mode isnt flexible enough, there is a web-only extension called port
forward mode.
Rather than use a virtual adapter to create a tunnel with an IP separate from the local IP, port forward
uses a Java applet to set up a local proxy that is accessed by connecting to the loopback address.

FortiGate I Student Guide

282

DO NOT REPRINT
FORTINET

SSL VPN

Between web-only and tunnel mode, tunnel mode is the most versatile, as it supports any IP
application. However, it requires admin/root privileges to install a VPN client. You can get a direct
tunnel connection either through a browser or by using the standalone VPN client.
Web-only, on the other hand, is clientless, but does not support all the IP applications like tunnel
mode. You can connect only through a browserand only through one connected to the SSL VPN
portal. Port Forward (an extension of Web-only) supports some additional IP applications, but it
requires users to change the application configuration to send the IP traffic to a Java applet acting as
a local proxy.
The final decision about which mode to use depends on many factors, such as technical knowledge of
the users, type of network applications, and if admin access to the users PCs is possible or not.

FortiGate I Student Guide

283

DO NOT REPRINT
FORTINET

SSL VPN

When users log into to their individual portal, there is an option that allows them to create their own
bookmarks (known as frequently used connections). An administrator must enable the user bookmark
option, and once enabled, users can create and modify their own bookmarks from the portal.
Administrators have the ability to view and delete bookmarks the remote user has added to their SSL
VPN login in the GUI under VPN > SSL > Personal Bookmarks. This allows administrators to monitor
and remove any unwanted bookmarks that do not meet with corporate policy
From the CLI of the FortiGate, administrators can create bookmarks for different users. These
bookmarks appear even if the user bookmark option is disabled in the portal, as that option only
effects the users ability to create and modify their own bookmarks.

FortiGate I Student Guide

284

DO NOT REPRINT
FORTINET

SSL VPN

Depending on the type of bookmark an administrator wants to create, they may need to enter
additional information during configuration, such as URLs for websites, and folders for FTP sites to
name a few.
Only three types of bookmarks can be used if employing the Port Forwarding method (an extension
for web-only mode): citrix, portforward, and rdpnative. Citrix and RDP native are specific for that kind
of traffic. Portforward is a generic type of bookmark that you can customize to suit the traffic.

FortiGate I Student Guide

285

DO NOT REPRINT
FORTINET

SSL VPN

Instead of just adding bookmarks on a per-user basis, administrators can also add bookmarks on a
per-portal basis. This allows bookmarks to appear for all users who log in to that particular portal.
These bookmarks use the exact same configuration options that personal bookmarks do, but can be
configured from the GUI, rather than the CLI. Users cannot modify administrator-added bookmarks,
whether they are created on a per-user or per-portal basis.

FortiGate I Student Guide

286

DO NOT REPRINT
FORTINET

SSL VPN

To add flexibility to your SSL VPN deployment, you may consider configuring Realms. Realms are
custom login pages, usually for user groups, such as your Accounting team and your Sales team, but
can be for individual users as well. With realms, users and user groups can access different portals
based on the URL they enter. This is unlike a default deployment, where SSL VPN login is handled by
going directly to the FortiGates IP address. With different portals, you can customize each login page
separately as well as limit concurrent user logins separately.
Example of Realms on a FortiGate:
HTTPS://192.168.1.1
HTTPS://192.168.1.1/Accounting
HTTPS://192.168.1.1/TechnicalSupport
HTTPS://192.168.1.1/Sales

FortiGate I Student Guide

287

DO NOT REPRINT
FORTINET

SSL VPN

Since SSL VPNs are methods for people outside your network to connect to resources inside your
network, you must take appropriate measures to ensure the safety and security of the information in
your network. There are multiple options and settings available to help secure SSL VPN access. In
this lesson, well cover client integrity checking and restricting host connection addresses.

FortiGate I Student Guide

288

DO NOT REPRINT
FORTINET

SSL VPN

When a user connects to your network through SSL VPN, a portal is established between your
network and the user PC. The VPN session is secured natively in two ways: the connection is
encrypted and the user must log in with their credentials, such as a user name and password.
However, you can configure additional security checks to increase the security of the connection.
One method of increasing your security is through client integrity checking. Client integrity ensures, to
some extent, that the connecting computer is secure by checking whether specific security software,
such as antivirus or firewall software, is installed and running. This feature only supports Microsoft
Windows clients, as it accesses the Windows Security Center to perform its checks. Alternatively, you
can customize this feature to check the status of other applications by using their Globally Unique
Identifier (GUID). The GUID is a unique ID in the Windows Configuration Registry that identifies each
Windows application. Client Integrity can also check the current software and signature versions for
the antivirus and firewall applications.

FortiGate I Student Guide

289

DO NOT REPRINT
FORTINET

SSL VPN

The Client Integrity check is performed when the VPN is still establishingjust after user
authentication has finished. If the required software is not running on the clients PC, the VPN
connection attempt is rejected even with valid user credentials.
Client Integrity is enabled per web portal and only by using CLI commands.
The list of recognized software along with the associated registry key value is available through the
CLI. Software is split into three categories: AntiVirus (av), Firewall(fw), and Custom. Custom is used
for customized or proprietary software that an organization may require. Administrators can only
configure these settings through the CLI.
The disadvantage of enabling Client Integrity checking is that it can result in a lot of administrative
overhead. First, all users must have their security software updated in order to successfully establish a
connection. Second, software updates can result in a change to the registry key values, which can
also prevent a user from successfully connecting. As such, administrators must have in depth
knowledge of the Windows operating system and subsequent registry behavior in order to properly
make extended use of, as well as maintain, this feature.

FortiGate I Student Guide

290

DO NOT REPRINT
FORTINET

SSL VPN

The second method you can use to help secure SSL VPN access is restricting host connection
addresses. Setting up IP restriction rules can be very useful when considering proper security
configuration. Not all IPs need, or should be allowed, access to the login page. This method allows
you to set up rules to restrict access from specific IPs. One simple rule is to allow or disallow traffic
based on Geographic IP addresses.
The default logic allows all IPs to connect. From the CLI, you can configure the VPN SSL setting to
disallow specific IPs.

FortiGate I Student Guide

291

DO NOT REPRINT
FORTINET

SSL VPN

To monitor remote user connections, you can view the SSL VPN Monitor table, accessible through the
GUI under VPN > Monitor > SSL VPN Monitor. This table shows all the SSL VPN users currently
connected to the FortiGate device. It displays the user names, IP addresses, and connection times.
In the table, a subsession row below a user means the user has brought up an SSL VPN tunnel. No
subsession row below the user means the user is only connected to the web portal page. Whether the
VPN tunnel is activated with the Web Portal widget or the standalone client, they appear the same
way in the SSL VPN Monitor table.

FortiGate I Student Guide

292

DO NOT REPRINT
FORTINET

SSL VPN

When an SSL VPN is disconnected, either by the user or through the SSL VPN idle setting, all
associated sessions in the FortiGate session table are deleted. This prevents reuse of
authenticated SSL VPN sessions (not yet expired) after the initial user terminates the tunnel.
The SSL VPN user idle setting is not associated with the firewall authentication timeout
setting. It is a separate idle option specifically for SSL VPN users. A remote user is
considered idle when the FortiGate does not see any packets or activity from the user within
the configured timeout period.

FortiGate I Student Guide

293

DO NOT REPRINT
FORTINET

SSL VPN

There are four mandatory steps that must be followed in order to configure SSL VPN. The fifth step is
optional and only necessary to allow access to internal resources.
Configuration does not need to be done strictly in this order. However there are several places where,
if certain options are not configured ahead of time, you are prevented from making further
configurations.

FortiGate I Student Guide

294

DO NOT REPRINT
FORTINET

SSL VPN

The first step is to create the accounts and user groups for the SSL VPN clients. User and group
creation was previously covered in the Firewall Authentication module.
All the FortiGate authentications methods, with the exception of the Remote Password Authentication
using the FSSO protocol, can be used for SSL VPN authentication. This includes Local Password
Authentication and Remote Password Authentication (using the LDAP, RADIUS, TACACS+, and
POP3 protocols). Two-Factor Authentication, with or without FortiToken, is also supported.

FortiGate I Student Guide

295

DO NOT REPRINT
FORTINET

SSL VPN

The second step is to configure the portal. A portal is simply a webpage that contains tools and
resource links for the users to access.
Options on the portal can be enabled or disabled to allow or deny access. Options such as tunnel
mode, links for downloading FortiClient, predefined bookmarks, and more. You can individually
configure and link each portal to a specific user group and/or user so they only have access to
required resources.
There are several different theme options that provide different color coding to the portals as well.

FortiGate I Student Guide

296

DO NOT REPRINT
FORTINET

SSL VPN

This is a sample of an SSL VPN portal page after the user logs in.
It contains various widgets, based on the configuration of the portal. The Bookmarks and
Connection Tool widgets are for web-only mode. The Tunnel Mode widget activates tunnel mode
through the browser. The standalone client can link into that directly, though the user must have
access to a portal that contains the client.

FortiGate I Student Guide

297

DO NOT REPRINT
FORTINET

SSL VPN

The third step to configuring SSL VPN is to configure the general settings. First, well talk about the
connection settings specifically, and then later, the tunnel mode client settings, and the authentication
portal mapping settings.
As with any other HTTPS web site, the SSL VPN portal presents a digital certificate when users are
connecting. By default, the presented certificated is self-signed, which triggers the browser to show a
certificate warning. To avoid the warning, you should use a digital certificate signed by a Certificate
Authority (CA) known to the browser. Alternatively, you can load the digital certificate into the browser
as a trusted authority. Certificates are covered in more detail in the Certificate Operations lesson.
By default, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can
change this timeout through Idle Logout settings in the GUI. Note that it is separate from the
authentication idle timeout discussed in the firewall authentication lesson.
Also by default, the port for the SSL VPN portal is 443, which means that users need to connect using
HTTPS to the IP address of the FortiGate device and to port 443 (which is also the standard port for
the administration HTTPS protocol).

FortiGate I Student Guide

298

DO NOT REPRINT
FORTINET

SSL VPN

In a default configuration, the SSL VPN login portal and the administrator login for HTTPS both use
port 443.
This is convenient because users do not need to specify the port in their browser. For example,
https://www.example.com/ automatically uses port 443 in any browser. This is considered a valid
setup on the FortiGate because you generally dont access the SSL VPN login through every
interface. Likewise you generally dont enable administrative access on every interface of your
FortiGate. So even though the ports may overlap, the interfaces that each one uses to access may
not.
If SSL VPN and HTTPS admin access both use the same port, and are both enabled on the same
interface, only the SSL VPN login portal will appear. In order to have access to both on the same
interface, you need to change the port number for one of the services. This will effect the port number
for that service on all interfaces.

FortiGate I Student Guide

299

DO NOT REPRINT
FORTINET

SSL VPN

Once you set up your SSL VPN connection settings, you can define your Tunnel Mode settings. When
users connect, the tunnel is assigned an IP address. You can choose to use the default range or
create your own range. The IP range determines how many users can connect concurrently.
DNS Servers will only be effective if DNS traffic is sent over the VPN tunnel. Generally this will only
be the case when split tunnel mode is disabled and all traffic is being sent from the client PC across
the tunnel.

FortiGate I Student Guide

300

DO NOT REPRINT
FORTINET

SSL VPN

The last part of step three is to set up the authentication rules that map users to the appropriate portal
and realm. These settings allow different groups of users to access different portals and/or realms.
The default rule applies to the root realm and must be present, otherwise an error message appears
that prevents any setting changes from being saved.
In the above example, accountants and teachers only have access to their own realms. If they need
access to the root realm to see the student portal, you would need to add an additional authentication
rule.

FortiGate I Student Guide

301

DO NOT REPRINT
FORTINET

SSL VPN

The fourth, and last, mandatory step to configure SSL VPN involves creating firewall policies for login.
SSL VPN traffic on the FortiGate uses a virtual interface called SSL.<vdom>. Each VDOM contains a
different virtual interface based on its name. By default, if VDOMs are not enabled then the device
operates with a single VDOM called root. VDOMs are covered in more detail in the FCNSP module on
Virtual Networking.
In order to activate and successfully log in to the SSL VPN portal, there must be a firewall policy that
goes from the SSL VPN interface to the interface that is listening for the SSL VPN login, that includes
all of the users/groups that can log in as the source.
If there are multiple interfaces listening for a login than all of them must be specified, either with
different policies or in the same policy. Without a policy like this, no login portal is presented to users.

FortiGate I Student Guide

302

DO NOT REPRINT
FORTINET

SSL VPN

In this example, there are three different user groups that log in remotely: Teachers, Accountants, and
Students.
In order to enable authentication, you must create a firewall policy with the source interface as ssl.root
that includes those three groups for the source. That firewall policy will enable the login portal and
allow those groups to authenticate. It will also allow those groups to access resources and bookmarks
that are beyond the wan1 interface. Without a firewall policy that is SSL.<vdom> to the interface that
the user is trying to connect from, no login portal will be presented.
If there are resources behind other interfaces that tunnel mode users need access to, then you need
to create additional policies that allow traffic from ssl.root to exit those interfaces. If resources inside
are allowed to initiate traffic to hosts on the other side of the SSL Tunnel, then policies need to be in
place to allow that.

FortiGate I Student Guide

303

DO NOT REPRINT
FORTINET

SSL VPN

As an optional step, you can create firewall policies for traffic to the internal network. Any traffic that
gets generated by the users of the SSL VPN exits from the ssl.<vdom> interface. This includes not
only tunnel mode traffic, but traffic generated by the widgets on the web portal page.
The firewall policy discussed in step four allows login and access to external resources. As such,
policies should be created to allow users access to resources inside the network.

FortiGate I Student Guide

304

DO NOT REPRINT
FORTINET

SSL VPN

In this lesson, we discussed:

What SSL VPN is and how it operates


Differences of SSL VPN vs. IPsec VPN
Web-only mode, tunnel mode (including split tunneling), and port forwarding
Methods of connecting to SSL VPN tunnels
Portals, bookmarks and realms
Securing SSL VPN access through client integrity checking and restricting host connection access
Monitoring SSL VPN users
Configuring SSL VPN

FortiGate I Student Guide

305

DO NOT REPRINT
FORTINET

Basic IPsec VPN

In this lesson, we will show you how to set up site-to-site IPsec VPN.
VPNs are heavily used in todays IT infrastructure to join private corporate networks across the Internet.
IPsec is an RFC standard. Whether you have FortiGate devices only or mix in another vendors devices,
the principles are essentially the same.

FortiGate I Student Guide

306

DO NOT REPRINT
FORTINET

Basic IPsec VPN

After completing this lesson, you should have these practical skills that you can use to set up a simple
IPsec tunnel for a site-to-site VPN.
During this, we will explain how to choose between configuring a policy-based or route-based VPN. You
will also learn how to verify the status of each tunnel.

FortiGate I Student Guide

307

DO NOT REPRINT
FORTINET

Basic IPsec VPN

A Virtual Private Network (VPN) allows people in remote places separated by the Internet to securely
access resources on your local network. For example, if workers are traveling or working from home,
you can use a VPN to give LAN access to them. You can also use a VPN to interconnect multiple
campuses.
There are multiple types of VPN: PPTP, L2TP, SSL VPN, and IPsec are popular choices.
PPTP is fast, but security is weak, and easily defeated.
IPsec requires a gateway or installation of client software. So it is more complicated to set up for
mobile users than SSL VPN, where they can simply utilize their web browser instead.
SSL VPN is designed for tunnels between a single client and a LAN, not between entire offices.
Because of this, many networks now use a combination of SSL VPN for mobile user access
and Ipsec or L2TP for tunnels between offices.
Often, tunnel is used as a synonym for VPN, although not all VPNs technically are tunnels, as we will
see in a minute.

FortiGate I Student Guide

308

DO NOT REPRINT
FORTINET

Basic IPsec VPN

When should you use IPsec? What is it?


It is a vendor-neutral standard set of protocols used to join two physically distinct LANs, as if they were a
single logical LAN, despite being separated by the Internet.
In theory, RFC 2409 and 4305 do support null encryption that is, you can make VPNs which not
encrypt traffic. The RFCs also support null data integrity. But does that provide any advantages over
plain traffic? No. No one can trust traffic that may have had an attack injected by an attacker. Rarely do
people want data sent by an unknown person. Most people also want private network data, such as
credit card transactions and medical records, to remain private.
So in reality, regardless of vendor, IPsec VPNs almost always have settings for 3 important benefits:
Authentication, to verify the identity of at least the initiator (and sometimes also the
responder);
Data integrity, or HMAC, to prove that encapsulated data has not been tampered with as it
traverses a potentially hostile network;
Confidentiality, or encryption, to ensure that only the intended recipient can read the message.
And, of course VPNs have virtual routing and network settings to use when joined to the remote LAN.

FortiGate I Student Guide

309

DO NOT REPRINT
FORTINET

Basic IPsec VPN

When we say the IPsec protocol, what layers & protocols are we talking about?
IPsec injects itself above the third layer: IP. Whats encapsulated? It depends on the mode. IPsec
can operate in two modes: transport mode, or tunnel mode.
Transport mode directly encapsulates what would usually be the fourth layer (TCP transport, for
example) and above.
Once the IPsec encapsulation is removed, there is no additional routing layer left. Thats why its also
called direct peer-to-peer or client-to-client. So this mode is not technically a tunnel, even though
many people use the word VPN and tunnel interchangeably. (Tunneling technically means
encapsulating an IP packet inside another IP packet.) Transport mode does not traverse NAT well
especially carrier-grade symmetric NAT and depending on the case, may require NAT Traversal,
ALG or hole punching, or may not work. This is because port numbers are inside the encrypted ESP
payload.
Tunnel mode is a true tunnel. Encapsulation first adds a second IP layer, then the original transport
layer (TCP, UDP, etc.). The second IP layer contains a private network that is routable on the remote
network. Once the IPsec packet reaches the remote LAN, and is unwrapped, the packet can
continue on its journey.
To fit an IPsec packet into the frame, when FortiGate applies ESP, one payload may be split in order to
fit into two packets. So you dont need to adjust frame MTU. But this does mean that you might need
more bandwidth for VPN traffic.

FortiGate I Student Guide

310

DO NOT REPRINT
FORTINET

Basic IPsec VPN

Lets look at the 2 methods of encapsulation: Which should you choose? Why might some extra
bandwidth be needed? Why is NAT traversal necessary?
Blue underlined parts of each packet are additional bits that are required by ESP. It varies by transport
vs. tunnel mode.
Relative to a non-IPsec packet, notice that the green Layer 4 transport area of the frame is now shorter.
Remember, the 1500 byte default frame MTU has not changed. Payload length is variable, and filled with
padding. So this doesnt always matter. But if the additional ESP bits cause the packet payload to not fit,
then FortiGate must split the payload into multiple frames. IKE is in separate packets, too, and also
requires additional bits to be transmitted.
You are trading some bandwidth for:
Security and,
Routability (in the case of tunnel mode)
Notice that after you remove the VPN-related headers, a transport mode packet cant be transmitted any
further it has no second IP header inside. So its not routable.
Thats OK if the packet is decrypted at an endpoint such as the FortiGate itself (think of encrypted Syslog
tunnels, and some special cases such as multicast, GRE-IPSec and L2TP-IPSec for Windows/Android
clients), but not usually if there are more router hops until the packet reaches its destination. For those
purposes, youll need tunnel mode instead.
Notice, too, that TCP or UDP port numbers are inside the ESP payload. They will be encrypted. So NAT
cant rewrite them for port forwarding or port overloading.

FortiGate I Student Guide

311

DO NOT REPRINT
FORTINET

Basic IPsec VPN

Because encapsulation styles and other settings vary, and any mismatches cause VPNs to fail, starting
with FortiOS 5.2, there are VPN templates.
You can use these to simplify VPN setup reducing the guesswork about what settings are compatible
between devices.
But sometimes you may need to create a tunnel manually, or pass it though a NAT device. So lets show
you how.

FortiGate I Student Guide

312

DO NOT REPRINT
FORTINET

Basic IPsec VPN

If youre passing your VPN through NAT devices such as firewalls, it helps to know which protocols to
allow.
Really, IPsec means three separate protocols.
IKE, which is used to authenticate peers, exchange keys, and negotiate the encryption and
checksums that will be used; essentially, it is the control channel,
AH, which is the authentication header the checksums that verify the integrity of the data
ESP, which is the encapsulated security payload the encrypted payload, essentially, the data
channel
So if you need to pass IPsec traffic through another firewall, remember: allowing just 1 protocol or port
number is not enough.
Note that although the IPsec RFC mentions AH, it does not offer encryption, an important benefit. So it is
not used by FortiGate. As a result, you dont need to allow IP protocol 51.
To make a VPN, configure matching settings on both ends whether the VPN is between 2 FortiGates,
or between a FortiGate and FortiClient, or between a 3rd party device and a FortiGate. If the settings
dont match, tunnel setup will fail.

FortiGate I Student Guide

313

DO NOT REPRINT
FORTINET

Basic IPsec VPN

Lets talk about how FortiGate starts an IPsec tunnel.


If youre creating a custom VPN tunnel, it will help you to understand which settings to use, and how
tunnels work.

FortiGate I Student Guide

314

DO NOT REPRINT
FORTINET

Basic IPsec VPN

On FortiGate, there are two ways a packet can initiate an IPsec VPN: by matching a route, or by
matching a policy. (In our old documentation, route-based used to be called interface-based, and
policy-based used to be called tunnel-based.)
How do you know when to use policy-based or routed-based?
Generally, try to use route-based. It offers more flexibility and control. We can implement very complex
routing scenarios, such as where tunneled traffic is required to be routed with policy-based routing, or if
you require GRE-over-IPsec.
In comparison, policy-based VPNs must be used when the FortiGate is in transparent mode, or if the
other peer requires L2TP-over-IPsec.

FortiGate I Student Guide

315

DO NOT REPRINT
FORTINET

Basic IPsec VPN

In addition to different limitations, how to configure them is different.


In a route-based VPN, FortiGate automatically adds a virtual interface with that name. Two firewall
policies with the action ACCEPT are usually required: one for sessions originating on the local
network, and another for sessions from the remote network. You also need to route the VPN traffic to
the virtual network interface. (Usually, youll use a static route.)
In a policy-based VPN, only one firewall policy with the action IPSEC is required. The policy is
bidirectional. By default, the GUI hides policy-based VPNs. To show policy-based VPN settings, use
the CLI setting set gui-policy-based-ipsec enable.
Both sides of your VPN dont need to be configured in the same route-based or policy-based
mode. You can configure one peer as routed-based, and the other as policy-based. But the Phase 1 and
2 settings must match.

FortiGate I Student Guide

316

DO NOT REPRINT
FORTINET

Basic IPsec VPN

If you have a simple case like the site-to-site scenario in this lesson use the VPN wizard.
But if you need to tailor your VPN settings, you can still make a custom VPN.
When making a route-based VPN, one additional step is usually required: you must also create a route
to direct VPN traffic to the new virtual interface for IPsec. (If you use the wizard, though, this is done
automatically.)

FortiGate I Student Guide

317

DO NOT REPRINT
FORTINET

Basic IPsec VPN

When the VPN wizard is completed, FortiGate automatically creates many of the required objects:
Addresses and address groups
Static routes
Policies
Phase 1 and Phase 2 settings
To immediately check the status of your tunnel, click Show Tunnel List. This can be your first test of
whether your VPN is working.

FortiGate I Student Guide

318

DO NOT REPRINT
FORTINET

Basic IPsec VPN

How does FortiGate bring up a VPN?


Lets begin by talking about Internet Key Exchange also called IKE Phase I.
This is when each endpoint of the tunnel the initiator and the responder connect and begin to set up
the VPN.
When they first connect, the channel is not secure yet. An attacker in the middle could intercept
unencrypted keys. And both ends have no strong guarantee of each others identity, either. So how can
they exchange sensitive private keys?
They cant. First, both ends have to create a temporary secure channel. Theyll use this to protect strong
authentication, and negotiate the real keys for the real tunnel later. Lets show how this works.

FortiGate I Student Guide

319

DO NOT REPRINT
FORTINET

Basic IPsec VPN

(slide uses animation)


This is Phase 1, where peers say hello and create an IKE SA that defines a temporary secure channel.
(click)
What is an SA?
A security association is simply the algorithms and parameters used to encrypt and authenticate data
between 2 points. Settings must agree. Otherwise the Phase 1 will fail. (Each side wouldnt be able to
decrypt or authenticate traffic from the other.) As you can see, which settings are used can be inflexible
what we call aggressive mode or somewhat flexible what we call main mode. Details are in the
advanced IPsec lesson.
(click)
In Phase 1, FortiGate IKE SAs are a secure channel that are used for:
The Diffie-Hellman keys that will be used by Phase 2, and
To build the final ESP tunnels.

FortiGate I Student Guide

320

DO NOT REPRINT
FORTINET

Basic IPsec VPN

At the end of Phase I, FortiGate uses the Diffie-Hellman method. It uses the public key (that both
ends know) plus a mathematical factor called a nonce in order to generate a common private key.
This is crucial. With Diffie-Hellman, even if an attacker can listen in to the messages containing
the public keys, they cannot determine the secret key. This is why it works even with a weakly
authenticated IKE channel, where a user name and password and FortiToken have not been
exchanged, for example.
The new private key is used to calculate additional keys: for symmetric encryption and authentication.

FortiGate I Student Guide

321

DO NOT REPRINT
FORTINET

Basic IPsec VPN

If your VPN must pass through a NAT device, as we mentioned, ESP encryption would normally prevent
the NAT device from being able to read and remap the port numbers inside.
To solve this, Phase I was extended. It added NAT traversal, also called NAT-T. When NAT-T is
enabled in both ends, peers can detect any NAT device along the path. If NAT is found, then:
Both Phase 2 and remaining Phase 1 packets change to UDP port 4500
FortiGate and client encapsulate ESP within UDP port 4500
So if you have two FortiGates that are behind, for example, an ISP modem that has NAT, you will
probably need to enable this setting.

FortiGate I Student Guide

322

DO NOT REPRINT
FORTINET

Basic IPsec VPN

Once details such as dead peer detection, NAT, and symmetric keys have been determined, your
FortiGate is ready to establish the real SA that is, IPsec SA which defines the ESP channel that will
be used to encapsulate and transmit data through the VPN.
It does this via IKE Phase II.
There can be 1 tunnel for Phase I, but 2 or more tunnels for Phase II. Lets see how.

FortiGate I Student Guide

323

DO NOT REPRINT
FORTINET

Basic IPsec VPN

Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins.
Phase 2 negotiates security parameters for the IPsec SA not to be confused with the IKE SA. It is this
IPsec SA not IKE that ESP will use to transmit data between LANs.
IKE Phase 2 does not end once ESP begins. Phase 2 periodically renegotiates cryptography. This
maintains security. Also, if you enable Perfect Forward Secrecy, each time the Phase 2 session
key expires, FortiGate will use Diffie-Hellman to recalculate a new common secret key. So even if
the same encryption algorithms are selected each time, the ESP tunnel will be changing to use a
different private key, making it much harder for an attacker to crack the tunnel.
Each Phase 1 can have multiple Phase 2. When would this happen?
For example, you may want to use different encryption keys for each subnet whose traffic is crossing the
tunnel. How does FortiGate select which Phase 2 to use? The Quick Mode setting.
Additionally, most traffic is two-way traffic. So this means there are usually two tunnels, and two ESP
SAs: one for each direction.

FortiGate I Student Guide

324

DO NOT REPRINT
FORTINET

Basic IPsec VPN

During Phase 2, we must configure a pair of settings called Quick Mode Selectors. They identify and
direct traffic to the appropriate Phase 2 if there are multiple.
In other words, it allows granular SAs.
Selectors behave similarly to a firewall policy. VPN traffic must match selectors in one of the Phase 2
SAs. If it does not, the traffic is dropped.
When configuring selectors, specify the source and destination IP subnet that will match each Phase
2. You can also specify the protocol number, and source and destination ports for the allowed traffic.
In point-to-point VPNs, such as when connecting a branch office FortiGate to headquarters
FortiGate, both sides configuration must mirror each other.
Quick mode selectors for dial-up VPNs are different, and details are in the advanced IPsec lesson.

FortiGate I Student Guide

325

DO NOT REPRINT
FORTINET

Basic IPsec VPN

Once all settings are configured, each time that a host on your local LAN sends a packet where the
destination is on the remote LAN, FortiGate should automatically bring up the VPN tunnel. It should
remain available for some time, as long as the tunnel is being used.

FortiGate I Student Guide

326

DO NOT REPRINT
FORTINET

Basic IPsec VPN

If you need detailed control of your VPN, such as for IKE version 2, you can still configure it manually.

FortiGate I Student Guide

327

DO NOT REPRINT
FORTINET

Basic IPsec VPN

If you are configuring a custom VPN, you can start from the wizard. Click Custom VPN Tunnel (No
Template).
Configure the remote FortiGates WAN IP address, and indicate which network interface on this local
FortiGate is the gateway that leads to it. FortiGate will use this to connect to the other end.
If your peers use pre-shared keys for the initial (IKE) authentication, both peers must be configured with
the same pre-shared key. For Phase 1, choose which encryption and authentication to propose, and so
on. They should match, too. If peers cant agree on IKE security, even Phase 1 wont be established. So
if in doubt, make sure Phase 1 and Phase 2 settings on both FortiGates match.

FortiGate I Student Guide

328

DO NOT REPRINT
FORTINET

Basic IPsec VPN

You already identified the other FortiGates WAN IP (the Remote Gateway), so now also indicate your
local FortiGates WAN IP. Remember: during IKE, each side must have some way to identify its peer so
that it can label the IKE SA.
Once Phase 1 completes, Phase 2 begins. This sets up the ESP tunnels that will be used for actual data
transfer. For each subnet on each end of the VPN, you can specify different levels of ESP security. For
example, connections to the Finance LAN might need larger key sizes and stronger authentication. To
do this, configure multiple Phase 2 entries. For simplicity, here, we show only one Phase 2: the Local
Address is our LAN, and the Remote Address is the remote LAN.
Remember that if traffic doesnt match an IPsec SA, the IPsec engine will drop the packet. Usually,
its more intuitive to filter traffic with firewall policies. So if you dont want to use SA filtering, you can just
set the quick mode selectors to be 0.0.0.0/0.

FortiGate I Student Guide

329

DO NOT REPRINT
FORTINET

Basic IPsec VPN

If you used the wizard for everything, it would have created routes and policies suitable for a route-based
VPN. What if you, for example, have a FortiGate in transparent mode?
Remember, first, you must enable the GUI to show policy-based IPsec options. Configure your phases
as before, then create a policy. When policy-based VPN settings are visible, an additional Action
setting is available when you configure a policy. Choose IPsec. Then choose the policy-mode tunnel
settings.
If you enable Allow traffic to be initiated from the remote site, you only need to make one policy. It will
govern both directions.

FortiGate I Student Guide

330

DO NOT REPRINT
FORTINET

Basic IPsec VPN

With a route-based VPN, firewall policies are different.


There are two policies usually, not one.
The interface doesnt match wan1; it matches the virtual interface, which in this example is named
HQ-to-Branch.
The VPN wizard is the easiest way to make these. If you did that, you can skip this step.
But if you want to manually set up a VPN, use these as examples.

FortiGate I Student Guide

331

DO NOT REPRINT
FORTINET

Basic IPsec VPN

In route-based VPN, you need to route VPN traffic destined for the remote LAN to the IPsec interface. If
you used the wizard, this was created for you, automatically.
(In a policy-based VPN, traffic is routed to wan1 or another external interface instead. Since there is
usually a default route, which routes all non-local packets towards the Internet, thats why policy-based
VPNs can usually skip this step.)
To do this, usually youll add a static route.

FortiGate I Student Guide

332

DO NOT REPRINT
FORTINET

Basic IPsec VPN

In the GUI, there is a tool to monitor the status of your IPsec VPNs. Through this tool, you can see how
much traffic has passed through each tunnel. You can also start and stop individual tunnels, and get
additional details.
If the tunnel is up, there will be a green arrow appearing next to its name. If it is down or not in use, then
a red arrow is displayed.
For example, here, simply by looking at the remote Gateway column, you can find a misconfiguration
problem: the IP should be an interface on the remote FortiGate, not a subnet IP. So it is impossible to
bring up.

FortiGate I Student Guide

333

DO NOT REPRINT
FORTINET

Basic IPsec VPN

This example shows 3 different VPN tunnels: Client_VPN, Home_VPN, and Office_VPN.
The phase 1 Office_VPN appears twice because it has two separate phase 2 associated with the same
phase 1. The other VPNs have one Phase 2 per Phase 1.
For each phase 2, we can see the phase 1 name, key life remaining time, status and the quick mode
selectors.

FortiGate I Student Guide

334

DO NOT REPRINT
FORTINET

Basic IPsec VPN

If your tunnel is not starting, it helps to know the expected behavior. This varies by type.
This outlines the steps. Depending on whether you are creating a route (interface-based) or policy-based
VPN, FortiGate will use a different mechanism.
One common mistake is to configure a policy-based VPN, but to set the action to ACCEPT and this
causes FortiGate to egress clear text packets, not encrypted ones.
Another common mistake is to route eggressing packets to the wrong port. Remember, route-based
VPNs must egress through the virtual interface, not the WAN.

FortiGate I Student Guide

335

DO NOT REPRINT
FORTINET

Basic IPsec VPN

Like with any feature, IPsec uses some system resources. Requirements vary by the number of VPNs.
Strong cryptography involving large key sizes can increase resource usage noticeably. Many models of
FortiGate have specialized FortiASIC chips to increase IPsec cryptographic performance, so especially if
you have many tunnels simultaneously, check that your configuration offloads cryptography to these
chips where possible. In some cases, you may be able to offload incoming traffic to one ASIC, and
outgoing traffic to another ASIC.
Details are in the hardware acceleration lesson.

FortiGate I Student Guide

336

DO NOT REPRINT
FORTINET

Basic IPsec VPN

To review, these are the topics weve talked about. We presented an overview of the IPsec technology,
which includes Internet Key Exchange, phase 1, phase 2, Diffie-Hellman and Quick Mode Selectors. We
also showed the difference between policy-based and route-based VPNs, and how to use the VPN
monitor.

FortiGate I Student Guide

337

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

In this lesson, we will show you how to use antivirus scanning on a FortiGate.
Since antivirus scanning is one of the features that, depending on your configuration
and chosen signature database, can use significant RAM, we will also show you how
to resolve conserve mode.

FortiGate I Student Guide

338

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

After completing this lesson, you should have these practical skills. Not only will you
be able to configure antivirus, but you should have a better understanding of how
virus scanning works, along with knowledge of some tools to help you optimize
memory usage on your FortiGate.

FortiGate I Student Guide

339

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

How old are viruses? In 1949, John Von Neumann gave lectures at the University of
Illinois about what he called self-replicating automata. On ARPANET, the precursor
to the Internet, the first virus, named Creeper, was detected in 1971.
Since then, malicious software has evolved into many types. Technically, although
we often refer to all malware as viruses, not every piece of unwanted software
behaves like a virus malware is not always self-replicating, and sometimes users
willingly install it. To include viruses, worms, Trojans, spyware and all others, we now
use the term malware.
Malware can be divided into 2 major types:
viruses, which infect the computer and spread on their own (generally via an exploit),
such as Flash ad banners whose binaries contain buffer overflow code
grayware which requires some kind of user interaction but convinces them that the
benefit outweighs the cost, such as browser toolbars that also track the users
activity and insert its own ads into web pages

FortiGate I Student Guide

340

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Within the category of viruses, there are 2 important subtypes:


Trojans such as Zeus, like the literary Trojan horse, trick users into letting down their
defenses and installing them, and then often use the network to spread via email or
instant message.
Worms, such as Conficker and Code Red, spread by connecting to open ports on
the network and exploiting misconfigurations or other vulnerabilities in those
daemons
A Trojan can infect the same host multiple times, but that happens when another
copy arrives from an external source. The local copy of the software does not try to
re-infect the computer.
Are all viruses malicious? By definition, yes. But some white hat hackers and
academics have written beneficial worm-like software. It spreads via the same
exploits, but then cleans infections and/or patches the host. For example, Creeper
was followed by Reaper, which removed Creeper from infected systems.

FortiGate I Student Guide

341

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Regardless of how the virus spreads, once installed, a virus is somehow malicious.
What makes it malicious? Its behavior. (This is one of the reasons, by the way, that
security analysts use sandboxing such as FortiSandbox to discover new viruses.
Looking at which C functions a virus contains, for example, cannot find all viruses.
Forensics lab must see which functions actually execute, and what the effects are.)
Most people are familiar with spyware, adware, and rootkits. Malware could also be:
Ransomware such as the CryptoLocker worm is fairly new. The software holds the
computer hostage, often encrypting critical user data with a password or secret key,
until the victim pays the extortionist.
Key loggers record key strokes and return them to a remote location including
sending administrator logins and personal email addresses for executives.
Mass mailers transform computers into open relay mail servers for the botnet, often
managed via a remote command and control, sending spam for hire. These are often
operated by organized crime syndicates.

FortiGate I Student Guide

342

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Just as viruses have evolved many vectors for spreading, they also have evolved
many techniques for evading antivirus engines and manual analysis.
Viruses can encrypt their payloads, or change the exact code. As a result, when
comparing a signature to the binary sample, the two therefore arent an exact, bit-bybit match. So in order to detect the virus, the engine must be able to either:
match flexibly, or
ignore the changeable parts of the code, and match only based on the polymorphic
or metamorphic engine.

FortiGate I Student Guide

343

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Now that you know some different ways that viruses spread and evade detection,
what are some methods that FortiGate uses to find and block them?

FortiGate I Student Guide

344

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

At the host level, a host-based antivirus software such as FortiClient helps. But hostbased antivirus cant be installed on routers. Guest Wi-Fi networks and ISP
customers also might not have antivirus software installed. So how can you protect
them? And how can you protect your own network from these botnets?
The solution is to implement antivirus in your network security on your FortiGate.
Just like viruses have many ways that they try to avoid detection, FortiGate has
many techniques that it can use to detect them. Lets explain each method.

FortiGate I Student Guide

345

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

The first, fastest, simplest way to detect malware is if it exactly matches a signature.
Grayware is not technically a virus; remember, it is often bundled with innocuous
software, but it does have unwanted side effects, so it is categorized as malware.
Often, grayware can be detected this way, with a simple FortiGuard Antivirus
signature.
But for the reasons we just described, viruses usually cannot be detected this way.

FortiGate I Student Guide

346

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

What is another way that FortiGate can use to detect viruses? It can look for
attributes that viruses usually have in other words, it can apply heuristics.
Heuristics are based on probability, so they increase the possibility of false positives,
but they also can detect zero-day viruses viruses that are new and unknown, and
therefore no signature exists yet. That is the tradeoff. If your network is a frequent
target for virus-writers, enabling heuristics may be worth the performance cost
because it can help you to detect a virus before the outbreak begins.
By default, when the antivirus scans heuristic engine detects a virus-like
characteristic, it will log the file as Suspicious but will not block it. Suspicious files
can be treated differently from a positive match with a virus or grayware signature:
you can choose whether to block or allow suspicious files.
When should you disable heuristic blocking vs. configure the antivirus scan to only
log detections?
Windows operating system updates often modify the registry. Viruses often do this,
too, however. So, for example, you might apply heuristics scans to Windows
updates, but block suspicious behavior in all other connections.

FortiGate I Student Guide

347

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Remember, if the antivirus scans heuristic engine finds a suspicious file, it may not
always be a virus. So you might want to configure a separate action for it, or a
separate policy where heuristics is disabled for connections that you know will trigger
false positives.
To configure the action that FortiGate will take if the scan finds a suspicious file, use
these CLI commands.

FortiGate I Student Guide

348

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

What if heuristics is too uncertain? What if you need a more sophisticated, more
certain way to detect malware, and to find zero-day viruses?
You can integrate your antivirus scans with FortiSandbox. For environments that
require more iron-clad certainty, FortiSandbox executes the file within a protected
environment, then examines the effects of the software to see if it is dangerous.
For example, lets say you have 2 files. Both alter the system registry, and are
therefore suspicious. One is a driver installation its behavior is normal but the
second file installs a virus that connects to a botnet command and control server.
Sandboxing would reveal the difference. Then, you can submit a sample of the new
virus to FortiGuard security researchers, and quickly receive and deploy a
FortiGuard Antivirus or IPS update to defend your network against this new threat.

FortiGate I Student Guide

349

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

In order for FortiGate to sandbox files, it must be able to send them to either a
FortiSandbox device or a FortiCloud sandboxing account.
What is the primary difference between the two?
FortiCloud has limits imposed on the amount of data that can be transmitted. Each
account has a quota.
FortiSandbox limitations vary by the models capabilities.
On FortiSandbox, you also must configure it to accept input from your FortiGate or
FortiMail.

FortiGate I Student Guide

350

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Whether you use FortiSandbox to discover new viruses, or one is discovered by your
own security team, the next step is to develop a signature to detect it so that your
FortiGates can begin to block it.
New viruses can be submitted to FortiGuards security research team manually or
automatically, via FortiSandbox or FortiCloud Sandbox.
If you want to submit a new virus manually, go to the FortiGuard web site. Upload the
file for scanning. If the virus does not currently exist in any of the FortiGuard
Antivirus databases, the web site will report it as being clean. You will then have
the option to submit the sample to FortiGuard analysts. They will develop a signature
for it, as well as engine modifications (if necessary), and this will be in the next
update that your FortiGate and FortiMail devices download from FortiGuard.
In addition to protecting your own network, this obviously also helps to ensure that
others networks wont be infected either. By being part of a united security
community, you can help to stop botnets from growing into large threats. This has
benefits for you, and not just your neighbors. If your neighbors arent infected, your
network wont need to spend as much CPU, RAM, and bandwidth on fighting spam,
worms, DDoS attacks, and other threats.

FortiGate I Student Guide

351

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Now that weve discussed the types of scans, lets talk about the engines that use
them. They dont behave the same way.
FortiGate has traditional proxies, which break up each session into particular states
which it analyzes, but it can also analyze traffic as a more continuous packet flow.
Lets discuss how to choose between those two types of engine.

FortiGate I Student Guide

352

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

One of the factors when choosing an antivirus engine is speed. Software that is
installed on endpoints such as FortiClient can usually schedule scans for later, pause
the current scan, or scan only with spare CPU cycles when the computer is idle. In
other words, time is not a factor.
But on a network device, this is not possible.
FortiGate must scan quickly to avoid a session or connection timeout. FortiGate will
allow up to 30 seconds for a scan to complete. If it takes longer then that, then a
process called a watchdog terminates the scan, and allows the traffic to pass. Also,
FortiGate creates an event log saying that scanunit crashed with a Signal 14. Its
not a real crash its not abnormal behavior exactly but because the scan is
terminated before completing. From the softwares perspective, thats technically a
crash, so the event log records it as one.
As you can see, speed is an important factor in network antivirus scans. With that in
mind, lets consider the two engines.

FortiGate I Student Guide

353

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Depending on the protocol, FortiGate may be able to use either:


an implicit proxy, or
an explicit proxy that is, a proxy that clients must indicate that they want to use.
Usually, youll use an implicit proxy. Clients to connect through the proxys IP, not to
it. As long traffic is routed through FortiGate, the proxy transparently intercepts that
traffic, without configuring the clients.
Each proxy parses that protocols commands. Traffic usually must arrive on the
expected port, and conform to the specification. (A proxy cannot scan a protocol that
it does not listen for, or understand.) For example, in an SMTP session, an SMTP
proxy know each valid stage: the client uses the MAIL FROM: command to specify
the sender, RCPT TO: for the recipient, DATA for the message, etc. When scanning
for viruses, the SMTP proxy known the DATA command which is the part that may
contain a virus payload before it passes that data to a scanunitd child process.
Especially for larger files, this can add noticeable latency: FortiGate must buffer the
entire file (or wait until the oversize limit is reached) first before scanning. So if your
file limit is large, consider the setting Comfort Clients. While buffering the file, the
proxy will slowly retransmit some data until it can complete the buffer, and finish the
scan. This prevents a connection or session timeout. Whats the disadvantage? Very
small viruses in the first bytes could infect the client before the scan result is
available. Disable client comforting if very high security is required.

FortiGate I Student Guide

354

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

What is another way to reduce latency? Use the flow-based engine instead.
It doesnt analyze sessions in discrete protocol stages. The flow-based engine scans
the packets as a continuous stream, looking for viral payloads regardless of
surrounding protocol details. Depending on your model, some flow-based operations
may be performed by a specialized FortiASIC chip, further improving performance.
But flow-based scans cant support all features that proxy-based scans can.
The flow-based engine doesnt operate according to the rules of the protocol. This
means that even if the scan later detects a virus, the flow-based engine may have
already forwarded packets where it should have inserted a block message. So the
client may think it is a network error, and try again. Also, much like a proxy with client
comforting enabled, the flow-based engine forwards packets at the same time as
scanning the payload. The result? The client may already have received most of a
virus by the time that the scan drops the connection. Like with client comforting, if
your environment requires very high security, you may want to avoid this option.
Regardless of which engine you use, the scan techniques will give similar detection
rates. How can you choose between the scan engines? If performance is your top
priority, then flow-based is more appropriate. If security is your priority, proxy-based
with client comforting disabled is more appropriate.

FortiGate I Student Guide

355

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Both engines buffer up to your specified file size limit. The default is 10 MB. Its large
enough for most files except movies. If your FortiGate model has more RAM,
though, you may be able to increase this threshold.
Without a limit, very large files could exhaust scan memory. So this threshold
balances risk vs. performance. Is this tradeoff unique to FortiGate, or to a specific
model? No. Regardless of vendor or model, you must make a choice. This is due to
the difference between scans in theory, that have no limits, and scans on real-world
devices that have finite RAM. In order to detect 100% of malware regardless of file
size, a firewall would need infinitely large RAM something that no device has in the
real world.
Most viruses are very small. So percentage-wise unless many viruses are Trojans
appended to the very end of a large file changing this value doesnt impact security
very much. This table shows a typical tradeoff. You can see that even with a 5 MB
threshold, only 0.14% of spyware passes through. But after billions of packets,
several hosts may require disinfection.

FortiGate I Student Guide

356

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

So what is the recommended buffer limit? It varies by model and configuration.


Adjust oversize for your unique network for optimal performance. A smaller buffer
minimizes proxy latency and (for both engines) RAM usage, but that may allow
viruses may pass through undetected. With a buffer thats too large, clients may
notice transmission timeouts. Balance the two.
If you arent sure how large of a buffer you need, temporarily enable oversize-log to
see if this is frequent, and whether the large files are important to allow.
Files that are too large for the maximum buffer size cannot be completely scanned.
And the default is to allow files to pass. This is because large files are often
harmless, and many networks have antivirus software installed on endpoints, so this
minimizes unnecessary help desk calls. But if you require a very secure
environment, or if your endpoints have no antivirus software, you can change this
setting on a per-protocol basis so that FortiGate blocks oversized files.
If oversized files are blocked, then your endpoints are safe. You wont need the logs
about oversize files for forensics. So you may be able to improve performance
slightly by disabling oversize-log.

FortiGate I Student Guide

357

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Relatedly, large files are often compressed. From the scans perspective, this is light
encryption. It wont match signatures. So FortiGate must decompress the file in order
to scan it.
When decompressing, FortiGate must first identify the compression algorithm. Some
archive types can be correctly identified using only the header. Also, FortiGate must
check whether the file is password-protected. If the archive is protected with a
password, FortiGate cant decompress it, and therefore cant scan it.
FortiGate then decompresses files into RAM. Just like other large files, this buffer
has a maximum size: uncompress-oversize-limit. Increasing this limit may decrease
performance, but allows you to scan larger compressed files.
If an archive is nested for example, if an attacker is trying to circumvent your scans
by putting a ZIP file inside the ZIP file FortiGate will try to undo all layers of
compression. By default, FortiGate will attempt to uncompress and scan up to 12
layers deep, but you can configure it to scan up to 100 layers deep. Often, you
shouldnt increase this setting, though. It increases RAM usage, and if a file is
repeatedly compressed more than 12 times, it is almost always a virus anyway.

FortiGate I Student Guide

358

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Lets review briefly.


If the buffer is full, the antivirus scan has a simple behavior. FortiGate will, depending
on your setting, either block or pass the file.
Since FortiGate doesnt have the entire file, it would be impossible to determine
whether or not the file contains a virus.

FortiGate I Student Guide

359

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If the file has been completely transmitted that is, FortiGate reaches the byte that
marks the end of the file (EoF) then FortiGate decompresses the file (if applicable)
and uses these scans, in this order.
The virus scan is first, because the results have high certainty and the computations
are fast. Heuristics, which are less certain, are applied last.

FortiGate I Student Guide

360

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If you consider all of the settings together, this is the complete decision tree that
FortiGate uses for antivirus scans.

FortiGate I Student Guide

361

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

When an attacker releases a new virus into the wild, like with all antivirus software,
your FortiGate must be updated with a matching signature so that it can detect it.
Most organizations dont have the personnel to dedicate to writing antivirus
signatures, 24 hours a day, 7 days a week. Even if you do, it is usually beneficial to
share security knowledge and workload. A FortiGuard Antivirus service contract
provides your FortiGate with access to the latest signatures and detection engines
from Fortinets security research team.

FortiGate I Student Guide

362

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

You can update your FortiGates antivirus signatures and engines via either push,
pull, or both methods. (If temporary packet loss, for example, interferes with the push
method, also enabling pull as a backup method helps to ensure that your FortiGate
will not miss any updates.)
Regardless of which method you select, virus scanning must be enabled in at least
one firewall policy. Otherwise, FortiGate will not download any updates.
Alternatively, you can download packages from the Fortinet Technical Support web
site, and then manually upload them to your FortiGate.

FortiGate I Student Guide

363

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

diagnose autoupdate status shows your automatic update options, just like
System > Config > FortiGuard does on the GUI.

FortiGate I Student Guide

364

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Its worth noting that there is an additional feature to the FortiGuard Antivirus service:
when FortiGate detects connections of infected computers to a botnets command
and control servers sometimes this is an IRC channel, or sometimes this is a
darknet web server FortiGate can block those connections. The setting is in the
antivirus profile.
The FortiGuard security research team compiles and maintains a list of known botnet
command and control server IP addresses. FortiGate downloads this via FortiGuard
Antivirus and IPS updates.

FortiGate I Student Guide

365

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Multiple FortiGuard Antivirus databases exist. Support varies by FortiGate model.


All FortiGate devices have the regular database, which only contains signatures for
viruses that are in the wild that is, viruses detected in recent months or submitted
by Fortinet users and partners. It is the smallest database, and therefore results in
the fastest scans, but does not detect all known viruses.
Some models support the extended database, which detects viruses that have not
been detected for some time. Vulnerable platforms are still common, and/or these
viruses could be an issue later due to portable hard disks, periodic connectivity, and
other reasons.
The most powerful models and FortiClient support the extreme database. It is
intended for high security environments, and detects all known viruses, including for
legacy operating systems such as DOS, Windows3.x, Win95, Windows 98, and so
on.

FortiGate I Student Guide

366

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Via the CLI, you can choose which database your FortiGate will use.

FortiGate I Student Guide

367

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Once you have chosen an antivirus database, in order to use antivirus scans, youll
also need to configure an antivirus profile. These profiles contain settings for the
inspection mode (that is, the proxy or flow-based engines), and define what
FortiGate should do if it detects an infected file.
Proxy options also specify the proxies listening port numbers for various
unencrypted protocols. You can scan HTTP, for example, even if the connection
doesnt occur on the IANA standard TCP port 80.
But what about encrypted protocols? Encryption is a popular method for attackers to
circumvent security. So as you would expect, FortiGate can scan encrypted
protocols. But that isnt configured here.

FortiGate I Student Guide

368

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

For secure protocols (HTTPS, FTPS, etc.), the proxies are configured in a different
profile type: the so-called SSL inspection profiles.
Encrypted protocols can be inspected to a greater or lesser extent, depending on
what you select.
SSL Certificate inspection only validates certificate information, such as the issuing
CA. This type cannot inspect the contents of the traffic, which are inside the
encrypted payload.
Full SSL Inspection validates the certificate, but also decrypts the payloads for
antivirus scanning. Because this method uses an authorized man-in-the-middle
(MITM) attack, clients will detect the inspection. Users may need to either override
the SSL validation failure, or install your CA certificate.
Certificate-based inspection is described in detail in another lesson.

FortiGate I Student Guide

369

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Virus scanning statics can be found on the FortiGate dashboard, on the Advanced
Threat Protection Statistics widget.
If your FortiGate is submitting files for sandboxing, then it keeps statistics about the
number of files submitted, and the results of those scans. These statistics are
separate from files that are scanned locally on the FortiGate.

FortiGate I Student Guide

370

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

When the antivirus scan detects a virus, by default, it creates a log about what virus
was detected, and by which method. It also provides a link to more information on
the FortiGuard web site.

FortiGate I Student Guide

371

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If the antivirus logs are empty, this doesnt mean your network has no outbreak.
Before, we showed how to pass a file if it is too large for scan buffers, is passwordencrypted, or has too many layers of nested compression. Logging can be disabled
for those. We also explained the flow-based engine, and client comforting by the
proxy-based engine. Even if FortiGate detected a virus and reset the connection,
some or all of the virus could have been transmitted before then. And when choosing
an antivirus database, we said that if you trade some security for better performance,
some viruses may pass through. We also explained zero-day exploits.
If any of that happens, how can you submit a sample of a suspected virus, or get
information on how to disinfect those hosts?
Visit the FortiGuard web site, http://www.fortiguard.com.
In the example here, this antivirus signature is only in the extended database for
FortiClient. What does this mean? Unless you have a FortiGate model that can use
the extreme database, and you have enabled it, your firewall would not have been
able to detect that specific virus. If you have vulnerable Android hosts, and
FortiClient was installed, they would have been safe. But if they were not protected,
you would need to apply the recommended action to disinfect them.

FortiGate I Student Guide

372

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If your antivirus scans are not functioning as you expect, where should you begin
troubleshooting?
Verify that FortiGuard updates are enabled, and that you have selected antivirus
profiles in your firewall policies. Updates wont occur if there is no firewall policy that
uses them, and antivirus scans wont occur unless a firewall policy applies them.
If automatic updates are enabled, the next thing to examine is whether those
scheduled update requests are succeeding. For that, use the command diagnose
autoupdate version.
It shows details about the antivirus engine and databases, IPS engine and
definitions, geography-to-IP mappings database, and other features.
It also shows your FortiGuard contract status FortiGate wont be able to download
updates if its not authorized and when the last update was attempted, and
succeeded.

FortiGate I Student Guide

373

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Both manual and automatic updates to FortiGuard packages trigger FortiGate to


check if the version is newer. If the version available is equal to or less than the
version installed, then to prevent accidental downgrades, it will not apply the update.
To turn off the version check, you can use this command with the enable flag. If a
specific signature is causing false positives, you can use this command to
temporarily disable the version check, and revert the database. After you have
resolved the issue with Fortinet Technical Support, make sure to run this command
again but with the disable flag instead.

FortiGate I Student Guide

374

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If your FortiGates RAM usage is high, the next thing to examine is the event log.
Look for messages about conserve mode. Conserve mode occurs when FortiGate
does not have enough RAM available to properly handle traffic.
UTM such as antivirus is not required to be enabled for conserve mode to occur, but
UTM inspection does increase memory usage beyond simple firewall policies. In
other words, conserve mode is more possible when antivirus or IPS is enabled. You
can determine whether antivirus is using much of the memory by running the
command diagnose sys top.
There are a few categories of RAM conservation. Lets show the difference.

FortiGate I Student Guide

375

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Kernel conservation mode is when FortiOS specifically does not have enough
memory available. Theres no single cause, but it could be processes
simultaneously opening too many files, too much information on the stack, etc.
System conservation mode indicates a lack of RAM for processes and daemons
such as miglogd. The threshold is whenever the overall memory usage reaches
about 80%. Once triggered, FortiGate will not exit this mode until memory has
dropped by 10% to approximately 70%.
Proxy conservation mode is when the transparent UTM proxy runs out of available
sockets. The maximum number of proxied connections varies by model.
In kernel conservation, the behavior is not configurable. It is a critical lack of RAM.
But behavior for system and proxy RAM conservation is configurable. Lets see the
settings that you can use.

FortiGate I Student Guide

376

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

av-fail-open is the CLI setting that controls FortiGates behavior while it is in system
conserve mode.
Depending on your configuration and traffic types, each option may be more or less
effective at freeing RAM.

FortiGate I Student Guide

377

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

If av-failopen-session is enabled, then FortiGate will act according to the avfailopen setting. Otherwise, by default, it will block new sessions until RAM becomes
available.

FortiGate I Student Guide

378

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

During kernel conservation mode, FortiGate attempts to reclaim memory that is not
in use.
In an operating system, when a process releases memory, it is not immediately
reclaimed. There is a garbage collector memory daemon that periodically finds
unused pointers. As part of this process, FortiGate drops any sessions that the proxy
considers idle.
While FortiGate is in this type of conserve mode, all new sessions will pass through
the FortiGate without any UTM inspection, because the operating system does not
have enough memory to do so.

FortiGate I Student Guide

379

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

Because logging itself requires some RAM, depending on the type of conserve
mode, log messages may not always immediately appear. Kernel conserve mode
especially may not appear easily.
Creating a log entry takes up memory. While in conserve mode, your FortiGates
operating system is doing everything possible to prevent RAM usage from
increasing. Trying to create a log entry while conserve mode is active would be
counterproductive.
If your FortiGate is in one of the three conserve modes, how can you correct it?

FortiGate I Student Guide

380

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

This shows the shared memory diagnostic. It indicates what type of conserve mode
(if any) your FortiGate is in. It also provides a quick summary of how much shared
memory is being used on your FortiGate.
The antivirus database is one of the things on your FortiGate that uses shared
memory, so if this is very high, you can try to solve the problem by switching from the
extended signature database to the regular database, for example.
Notice that this command doesnt show kernel conserve mode, however. How can
you determine how much kernel memory is used?

FortiGate I Student Guide

381

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

diagnose firewall iprope state has a section right at the beginning with an entry for
av_break.
Normally, the av_break option will be pass/off. But if FortiGate is currently in kernel
conserve mode, this command will show av_break=pass/pass. If this is very
common, and youve checked your configuration, you may need to examine the
traffic levels and protocol types. Your network may have grown or changed in
important ways, and need a more powerful model capable of supporting the added
or changed traffic.
Much of the other output of this command is dictated by the settings for av-failopen
and av-failopen-session and will change based on the configured options.

FortiGate I Student Guide

382

DO NOT REPRINT
FORTINET

Antivirus & Conserve Mode

To review what we discussed, here is a list. We showed:


Some different Malware terminology and what they meant
The different types of scanning that can be enabled on a FortiGate
Sandboxing and how that can be used.
Blocking botnet connection
The difference between proxy and flow based virus scanning
The different Antivirus databases
The behavior of oversized files
The order of operations within the virus scanning engine
How to handle an undetected piece of malware
Some details about virus scanning encrypted traffic
How to read virus detection logs
What conserve mode is
Some of the memory diagnostics that are available on a FortiGate

FortiGate I Student Guide

383

DO NOT REPRINT
FORTINET

Explicit Proxy

In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.

FortiGate I Student Guide

384

DO NOT REPRINT
FORTINET

Explicit Proxy

After completing this lesson, you should have these practical skills.
You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy.
Since you can alternatively use an implicit proxy, we will also explain why in some cases you might want
an explicit proxy instead.

FortiGate I Student Guide

385

DO NOT REPRINT
FORTINET

Explicit Proxy

A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available,
it forwards the request to the server on behalf of the client.
Two sessions are created: one from the client to the proxy, and another one from the proxy to the server.
How is this different from an implicit proxy, sometimes called a transparent proxy?

FortiGate I Student Guide

386

DO NOT REPRINT
FORTINET

Explicit Proxy

An implicit proxy server does not require any configuration change on the clients. Clients continue to use
the web just like they would without a proxy.
Clients send requests to the web servers IP address and port number. The proxy intercepts the clients
requests transparently that is, at the IP layer, the destination address doesnt change.
Does this mean that implicit proxies dont require any configuration changes, anywhere? Not
necessarily.
Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is
already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if
clients traffic isnt currently routed through FortiGate, then you must reconfigure routing so that the
packets will be routed through FortiGate, where the implicit proxy can intercept.

FortiGate I Student Guide

387

DO NOT REPRINT
FORTINET

Explicit Proxy

How is an explicit proxy different?


With explicit proxy servers, you must configure clients to send the requests to the proxys IP address, not
the web sites servers. But because clients are specifically sending web traffic to your FortiGate, though,
you shouldnt need to reconfigure any routers.
Methods vary by web browser or other HTTP client.

FortiGate I Student Guide

388

DO NOT REPRINT
FORTINET

Explicit Proxy

How do you configure users web browsers to use an explicit web proxy?
In large networks, you wont configure the browser settings individually, on each computer; instead, for
example, you may use an Active Directory login script or roaming profile.
Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web
proxy autodiscovery protocol (WAPD).
Lets look at each.

FortiGate I Student Guide

389

DO NOT REPRINT
FORTINET

Explicit Proxy

With manual configuration, you must provide one proxys FQDN or IP address. It is limited to only one
proxy.
If you want to exempt specific IP addresses, subnets and FQDNs from using the proxy, you can add
them to a list. For those destinations, the browser will send requests directly to the web servers.

FortiGate I Student Guide

390

DO NOT REPRINT
FORTINET

Explicit Proxy

The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file
contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the
destination.
This method supports use of multiple proxy servers.
To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your
FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the
PAC files URL. Again, in larger networks, you usually wont do this individually; instead, you will use
your domain to define the PAC files URL.

FortiGate I Student Guide

391

DO NOT REPRINT
FORTINET

Explicit Proxy

What does a PAC file contain?


A PAC file is a JavaScript. When browsers run it, determines whether the request will be proxied, and
what the addresses should be in packets, including in the URL and Host: header at the Layer 7 HTTP
layer.
In this example:
The PAC file allows any connection to example.com to bypass the proxy.
Connections to servers in the 10.0.0.0/24 subnet use the proxy named fastproxy.example.com
whose FQDN is resolved to an IP address by a DNS query at the time of the request, so it could be
separate for clients on the private vs. public network.
All other requests are made through proxy.example.com.

FortiGate I Student Guide

392

DO NOT REPRINT
FORTINET

Explicit Proxy

Browsers can automatically discover the URL where the PAC files is located via the web proxy autodiscovery protocol.
There are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP
server.
Most browsers try the DHCP method first. If it fails, they try the DNS method.

FortiGate I Student Guide

393

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)


With the DHCP method, the browser sends a DHCPINFORM request to the DHCP server. The DHCP
server replies with PAC files URL.
(click)
The browser downloads the PAC file.

FortiGate I Student Guide

394

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)


The DNS method is very similar; differences are in the required PAC URL.
First, the browser queries the DNS server to resolve the FQDN wpad.<local-domain>.
(click)
The DNS server replies with the IP address of the web server (in this case, a FortiGate) where the
browser can download the PAC file. This method always uses TCP port 80 and the PAC file name
wpad.dat.
(click)
The browser downloads the PAC file, then accesses the web through the proxies indicated in the PAC
file.

FortiGate I Student Guide

395

DO NOT REPRINT
FORTINET

Explicit Proxy

Usually, you will enable the proxy to cache responses from web servers.
A web cache stores responses from web servers so that the next time a client requests the same thing,
FortiGate can quickly send the cached content, instead of forwarding the request and waiting for the
response. This reduces WAN bandwidth usage, server load, and delay. We will review how web caching
works in the next slides.

FortiGate I Student Guide

396

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)


If youve enabled caching, when the client makes a request, the proxy checks first if the URL that the
client requested is already in memory.
(click)
If it is not, the proxy forwards the request to the server. When it responds, FortiGate stores the response
in memory that is, it adds content to its cache.
(click)
The proxy also forwards a copy of the content to the client.

FortiGate I Student Guide

397

DO NOT REPRINT
FORTINET

Explicit Proxy

(slide contains animation)


If any client using FortiGates proxy requests the exact same URL
(click)
FortiGate will recognize it, and immediately forward a copy of that content from the cache to the client.
Unless the content on the server has changed, the proxy does not need to request content from the
server again, so from the clients perspective, each response after the initial request is faster.
Notice that because dynamic URLs are not exactly the same, and their content may be personalized for
each client, dynamic URLs are usually not cached.

FortiGate I Student Guide

398

DO NOT REPRINT
FORTINET

Explicit Proxy

Given that cache consumes system resources, do you want all users to be able to use the cache?
You can configure FortiGates HTTP proxy to allow access only to authenticated users that belong to
specific user groups. Authentication can be either based on either source IP address or HTTP session
cookies.
How should you decide which to use?
IP-based authentication requires less RAM to remember the authenticated sessions. However, it should
only be used when each user has a different IP address from the perspective of the source address in
the IP header.
If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP
session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its
requests. The cookie identifies the users sessions. This method requires slightly more RAM because
FortiGate must remember all session cookies. However, it can even differentiate the same person using
multiple accounts multiple tabs in multiple browsers.

FortiGate I Student Guide

399

DO NOT REPRINT
FORTINET

Explicit Proxy

What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP
session-based authentication?
If a user connects and the request doesnt have any associated authentication session, first FortiGate
replies to the browser, requesting login credentials. The browser prompts the user to authenticate, and
remembers the authenticated state by storing a cookie.
If the same user makes more requests later, the browser automatically sends the same cookie again.
FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not
need to authenticate for every request only the first time.

FortiGate I Student Guide

400

DO NOT REPRINT
FORTINET

Explicit Proxy

These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of
each step next.

FortiGate I Student Guide

401

DO NOT REPRINT
FORTINET

Explicit Proxy

By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboards
Features widget, enable explicit proxy.

FortiGate I Student Guide

402

DO NOT REPRINT
FORTINET

Explicit Proxy

Once explicit proxy settings are visible in the GUI, you can enable and configure them.
You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose
the default action that FortiGate will take if there is any traffic that doesnt match a proxy policy.
We will talk about the proxy policies later.

FortiGate I Student Guide

403

DO NOT REPRINT
FORTINET

Explicit Proxy

After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will
listen for connections.

FortiGate I Student Guide

404

DO NOT REPRINT
FORTINET

Explicit Proxy

The next step is to create explicit proxy policies to specify which traffic and users are allow to use the
proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration
section than the regular firewall policies.
Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection.
Additionally, the use of web caching can be enabled or disabled per policy.
When the proxy traffic matches a proxy policy, the FortiGate take one of three possible actions: Accept
the traffic, deny it, or request authentication before accepting it.

FortiGate I Student Guide

405

DO NOT REPRINT
FORTINET

Explicit Proxy

If you select authentication as the action, you will be presented with the option to add authentication
rules. These rules specify which users and users groups are allowed, and what kind of inspection is
going to be done over each of them.

FortiGate I Student Guide

406

DO NOT REPRINT
FORTINET

Explicit Proxy

Authentication for the explicit proxy behaves differently than it usually does for firewall policies.
With the explicit proxy, FortiGate will not fall through to try the next authentication rule.
FortiGate always applies the first policy that matches all criteria: the source IP address, the destination
IP address, and the outgoing interface. It doesnt evaluate any policy after the first match, even if the
user failed to authenticate with the first rule.
Lets look at an example next.

FortiGate I Student Guide

407

DO NOT REPRINT
FORTINET

Explicit Proxy

In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named
Student.
The second policy allows traffic without authentication only if the source address matches 10.0.0.0/8.
With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated
yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches
the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match.
So FortiGate never applies the second policy for that subnet only for the rest of 10.0.0.0/8.

FortiGate I Student Guide

408

DO NOT REPRINT
FORTINET

Explicit Proxy

In the CLI, if you disable the setting strict-guest, then all users that do not belong to any user
group in the proxy policy will be treated as if they belong to a group named SSO_guest_user. In this
way, you can control their access even if the users cannot authenticate.

FortiGate I Student Guide

409

DO NOT REPRINT
FORTINET

Explicit Proxy

Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the
source and destination.
With HTTP, the destination may appear in both the IP headers destination field, and the HTTP headers
Host: field. They arent always the same. Usually, the Host: header is a FQDN, indicating possibly
an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always
contains an IP address. So if you are matching by using the IP Range object, keep in mind which layer
you are matching, and the effects of NAT at both layers.
Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No.
One type of firewall address object can only be used in proxy policies: the URL pattern object type. The
proxy can match policies based on the requested URL (not only the destination IP address). URL
address objects are used for that purpose.

FortiGate I Student Guide

410

DO NOT REPRINT
FORTINET

Explicit Proxy

In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to
the URL update.microsoft.com. No authentication is required.
All other traffic would match the second policy, which enforces authentication when accessing any other
URL.

FortiGate I Student Guide

411

DO NOT REPRINT
FORTINET

Explicit Proxy

If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to
indicate the file name and listening port number.
As we explained before, the DNS method always assumes that the PAC file is located at:
http://<FortiGate_IP_Address>:80/wpad.dat
So if your clients use the DNS method, you must configure FortiGate to offer the PAC file named
wpad.dat, and to listen for requests for it on port 80.

FortiGate I Student Guide

412

DO NOT REPRINT
FORTINET

Explicit Proxy

Also, you must check that the Local Domain Name setting is properly configured.
This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients requests for
the WPAD file match the FortiGates own HTTP Host: header.

FortiGate I Student Guide

413

DO NOT REPRINT
FORTINET

Explicit Proxy

Once the web proxy is working, you can monitor which users that are connected to it that is, the
proxys session table. You can do this from the GUI, or from the CLI by using the command:
diagnose wad user list
You can also remove all entries from the list of users that are currently
authenticated with the proxy.

FortiGate I Student Guide

414

DO NOT REPRINT
FORTINET

Explicit Proxy

Here is a review of what we discussed.


We reviewed some explicit web proxy concepts. We also showed how to configure and monitor a
FortiGate that is acting as an explicit web proxy, and how to configure web browsers to use the proxy.
Depending on your situation, we explained that some configuration choices require more RAM, and
require specific FortiGate port numbers. Finally, we showed how to see which users are currently
authenticated with the explicit proxy.

FortiGate I Student Guide

415

DO NOT REPRINT
FORTINET

Web Filtering

In this lesson, we will show you how to filter users access to web sites, which is one of the most
commonly used features employed by network administrators.

FortiGate I Student Guide

416

DO NOT REPRINT
FORTINET

Web Filtering

After completing this lesson, you should have these practical skills. This will give you an understanding
of the various options that are available to manage and track web content.
Familiarity with website design and behavior, as well as the HTTP protocol are useful to understanding
this module.

FortiGate I Student Guide

417

DO NOT REPRINT
FORTINET

Web Filtering

Web filtering is simply a means of controlling, or tracking, the websites people visit. There are many
reasons why a network administrator would want to do this: preserve employee productivity; prevent
network congestion where valuable bandwidth is used for non-business purposes; prevent loss or
exposure of confidential information; decrease exposure to web-based threats; limit legal liability when
employees access or download inappropriate or offensive material; prevent copyright infringement
caused by employees downloading or distributing copyrighted materials; prevent children from viewing
inappropriate material.

FortiGate I Student Guide

418

DO NOT REPRINT
FORTINET

Web Filtering

Proxy-based web filtering is achieved using a transparent proxy intercepting traffic between the client
and server, and setting up a man-in-the-middle. Proxy-based provides he the most flexibility and
configuration options for inspecting web traffic because it intercepts at Layer 7, as such some features
are only available to you when using proxy-based inspection. Greater control comes at a cost, it is also
the most resource intensive in terms of memory and CPU usage, resulting in the slowest throughput.
That said, it is widely used and is a very strong solution on appropriately scaled systems.

FortiGate I Student Guide

419

DO NOT REPRINT
FORTINET

Web Filtering

Flow-based web filtering is achieved by caching traffic intercepted traffic between the client and server,
analyzing the TCP flow: hence flow-based. It provides less flexibility and configuration options for
inspecting web traffic, when compared to proxy-based, because it intercepts at Layer 3 and works with
the Layer 4 data. It does not recover actual files, as the proxy does, so content cannot be sent to
scanunit.

FortiGate I Student Guide

420

DO NOT REPRINT
FORTINET

Web Filtering

Rather than looking at the HTTP protocol, another option is to filter the DNS request that occur prior to
an HTTP Get request. This has the advantage of being very lightweight, but at a cost because it lacks
the precision of HTTP filtering. Every protocol will generate DNS requests in order to resolve a
hostname, therefore this kind of filtering will impact all of the higher level protocols that depend on DNS,
not just web traffic. For example, it could apply FortiGuard categories to DNS requests for FTP servers.
Very few web filtering features are possible beyond hostname filtering, due to the amount of data
available at the point of inspection.

FortiGate I Student Guide

421

DO NOT REPRINT
FORTINET

Web Filtering

Inspection mode is set in the web filter profile. When changing mode, the options displayed will change
because they are dependent on the inspection mode. When a web filter profile using proxy inspection
mode is selected in your firewall policy, a proxy options profile must also be defined. The proxy options
profile defines proxy behaviors as well as the ports to be inspected for web or DNS traffic. HTTPS
inspection port numbers, and other settings related to the handling of SSL, are defined separately in the
SSL/SSH inspection profile.

FortiGate I Student Guide

422

DO NOT REPRINT
FORTINET

Web Filtering

Lets summarize the different modes. Proxy-based caches traffic, so it can cause a noticeable delay
depending on the file size, oversize limit and connection speed. It does, however, support a greater
number of web filtering features. Flow-based has a much higher throughput rate, compared to proxybased, because it does not cache data so there is no transmission delay. DNS-based is very lightweight
because it handles only the nameserver lookup, but suffers from accuracy issues because it does not
see the full URL.

FortiGate I Student Guide

423

DO NOT REPRINT
FORTINET

Web Filtering

DNS web filtering looks at the nameserver response which typically occurs when you connect to a
website. Proxy and flow-based web filtering booth look for the HTTP 200 response returned when you
successfully access the website. Handling the response, as opposed to the DNS request or HTTP Get,
confirms the site is present.

FortiGate I Student Guide

424

DO NOT REPRINT
FORTINET

Web Filtering

Static URL filtering is enabled in the web filter profile. Entries in the URL filter list are checked against
the website that is visited. If a match is found, then the configured action is taken. If there is no match,
then the FortiGate will move on to the next check enabled.
Patterns set to the type Simple are exact text matches. Patterns set to the type Wildcard allow for
some flexibility in the text pattern by allowing wildcard characters and partial matching to occur. Patterns
set to the type Reg. Expression allows for the use of PCRE regular expressions to be used.

FortiGate I Student Guide

425

DO NOT REPRINT
FORTINET

Web Filtering

When a user visits a website, the FortiGate looks at the URL list for a matching entry. In this example,
the website matches the 3rd entry (using same list as the previous slide). This entry is a simple type, so
the match must be an exact one. There is no option for a partial match with a simple pattern. In this
case the action is to block the website so the user is presented with a block page, rather then the
website they were expecting to see.

FortiGate I Student Guide

426

DO NOT REPRINT
FORTINET

Web Filtering

Rather than block or allow websites individually like Static URL filtering, FortiGuard Category filtering
looks at the category that a website has been rated with. Action is taken based on that category, not the
URL itself.
FortiGuard Category filtering is a live service that requires a connection to the FortiGuard network and
active contract in order to operate. If the contract expires, there is a 7 day grace period to renew the
contract before services will be cut off. Rather then communicating to the FortiGuard network to receive
a websites category, larger FortiManager models can be used instead.
FortiGuard Category filtering and Static URL filtering have different lists of possible actions that can be
configured. The impact of selecting different actions will be covered later on.

FortiGate I Student Guide

427

DO NOT REPRINT
FORTINET

Web Filtering

When a user visits a web site, you can use the FortiGuard live service to find out the category for the
URL and allow or block access by category. This is a great way to perform bulk URL filtering without
having to individually define each web site.
After the 7 day grace period the FortiGate will not be able to rate websites and every visit will be treated
as a rating error. In the event of a rating error for a website there are only 2 options, block or allow.

FortiGate I Student Guide

428

DO NOT REPRINT
FORTINET

Web Filtering

FortiGuard category filtering is enabled in the GUI, through the Web Filter profile. Categories and subcategories are listed and can have the action to take defined individually. Actions are assigned through
right clicking the mouse and selecting from a menu.
If the feature is enabled and the unit does not have a valid contract then a warning will be displayed in
the GUI.

FortiGate I Student Guide

429

DO NOT REPRINT
FORTINET

Web Filtering

The FortiGate can maintain a list of recent web site rating responses in memory, so if the URL is one
that the device already knows about it will not have to send back a rating request. Two ports are
available for the unit to query FortiGuard with, port 53 and port 8888. Port 53 is the default since this is
also the port number used for DNS which is almost guaranteed to be open. However, any kind of
inspection will reveal that this traffic is not DNS and prevent the service from working. In this case, you
can switch to the alternate port 8888, but this port is not guaranteed to be open in all networks so you
will need to check this before setting this up. Port 80 is an option for FortiGuard communications, but
only if you are using a FortiManager, rather then the FortiGuard network.

FortiGate I Student Guide

430

DO NOT REPRINT
FORTINET

Web Filtering

Caching responses reduces the amount of time it takes to establish a rating for a website. Packets
operate on the scale of milliseconds at the fastest with Seconds, not being unusual. Memory checking is
orders of magnitude faster (nanoseconds).
This timeout defaults to 15 seconds but can be adjusted as high as 30 seconds if necessary.

FortiGate I Student Guide

431

DO NOT REPRINT
FORTINET

Web Filtering

Web site categories are determined by both automatic and human methods. The FortiGuard team has
automatic web crawlers that look at various aspects of the website in order to come up with a rating.
There are also people who examine websites and look into rating requests in order to determine
categories.

FortiGate I Student Guide

432

DO NOT REPRINT
FORTINET

Web Filtering

There is always the possibility for errors in rating, or a scenario where you simply do not agree with the
rating a site has been given. In this case, you can use the web portal to contact the FortiGuard filtering
team to submit a web site for a new rating, or to get it rated if it is not already in the database.

FortiGate I Student Guide

433

DO NOT REPRINT
FORTINET

Web Filtering

The Warning action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering.
When someone visits a website that is in a Category with an action of warning, they are presented with a
page that warns them they may not wish to visit this website. They are given a choice to go to the
website anyway, or go back to the previous website.

FortiGate I Student Guide

434

DO NOT REPRINT
FORTINET

Web Filtering

The Authenticate action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering.
The authentication action blocks all websites that are in that category, unless a successful passcode is
entered. This is not user authentication and putting in proper credential will not result in any kind of
login. The username/password pair is used in the same way a key is used to open a locked door.
Once this has been done successfully, access is allowed to that category for the amount of time that has
been configured. This will allow the user to visit any other websites that are in the same category for
however long has been configured. They will not be prompted again when visiting a second (or third)
website in the same category, so long as the timer has not expired.

FortiGate I Student Guide

435

DO NOT REPRINT
FORTINET

Web Filtering

The Exempt action is only an option when using Static URL filtering. It is not available with FortiGuard
category filtering.
The exempt action is used in order to bypass issues that may be caused by other checks. Sometimes
FortiGuard category filtering is not granular enough, sometimes a file you need is being caught by virus
scanning. Exempt gives the ability to bypass one or more checks or all further checks.

FortiGate I Student Guide

436

DO NOT REPRINT
FORTINET

Web Filtering

These actions are possible with FortiGuard Category filtering and Static URL filtering. Regardless of
which feature they are used with, the resulting action will be the same.

Allow Effectively defines the website as being trusted. Access to the site is permitted and no log
message is generated to record this.
Monitor Access to the website is permitted and a log message is generated to record the event
Block Prevents access to the website and displays a block page to the user instead.

Log message generation is subject to firewall policy, specifically the Logging Option setting.

FortiGate I Student Guide

437

DO NOT REPRINT
FORTINET

Web Filtering

When using FortiGuard category filtering, one option to allow or block access to a website is to make a
web rating override and define the website to be in a category other then what FortiGuard puts it into.
Web ratings are only for hostnames, no URLs or wildcard characters are allowed.
Category filtering is not granular, like static URL filtering. If you have a category that is blocked (or
allowed) and you need to make an exception for a particular website, this is one option that is available
to you.
If the contract expires, and the 7 day grace period passes, web rating overrides will be not be effective.
All website categories will be still be considered rating errors.

FortiGate I Student Guide

438

DO NOT REPRINT
FORTINET

Web Filtering

Since FortiGuard category filtering is not granular and performs actions based on the category the
websites are in there may be times when an exception needs to be made for a single website.
Rather then unblock a potentially unwanted category access can be provided an a site-by-site basis.
The reverse can also be true, with the majority of websites in a category being fine, but a single one
needs blocking.
Changing the category does not automatically result in a different action for the website. This will
depend on the settings within the Web Filter profile at the time the user is accessing that web site.

FortiGate I Student Guide

439

DO NOT REPRINT
FORTINET

Web Filtering

Custom categories can be created and used in conjunction with Web rating overrides. If the predefined
categories within FortiGuard are not suitable for the situation, additional customized categories can be
added.
These custom categories can be added and deleted as needed, so long as they are not in use. A
category is considered to be used if there are any Web rating overrides that have been configured to us
it. It will also be considered in use if there is an action associated with that category other then Allow in
any web filter profile.

FortiGate I Student Guide

440

DO NOT REPRINT
FORTINET

Web Filtering

FortiGuard quota can be used to limit the time users spend on web sites, based on the categorization.
Quota cannot redirect you once the web site is loaded in the browser. For example, if you had 45
seconds left on your quota and you visited a web site, it would likely finish loading before 45 seconds
was done. You could then spend 20 minutes browsing the information you received. You could not get
blocked or notified until the next attempt to access another one of these web sites. The reason for this is
that the connection to the web site is not generally a live stream. Once you receive the information, the
connection is closed.

FortiGate I Student Guide

441

DO NOT REPRINT
FORTINET

Web Filtering

Quotas are configured just below where you configure the Category actions in the Web filter profile.
There can be multiple quotas (timers) configured within this section. Each one can either be linked to a
single category, or multiple. If the Quota applies to multiple categories then it is not that amount for each
individual category, the timer applies to all of the categories that are specified.

FortiGate I Student Guide

442

DO NOT REPRINT
FORTINET

Web Filtering

Some Features on the FortiGate cant provide direct user feedback. FortiGuard quota wont provide any
feedback to the user until they exceed the quota they have been given, unless the Fortinet bar is
enabled.
The Fortinet Bar injects a Java applet which uses a communications port to talk to the FortiGate and get
additional information from features that would otherwise provide no direct user feedback.
FortiGuard quota provides a count down.
Other features that cant do block pages (IE: application control) will show block events in the top bar.
HTTPS pages are a lot more sensitive to injected data, so its not possible to reliably insert data, so the
Fortinet Bar is only available for HTTP websites.

FortiGate I Student Guide

443

DO NOT REPRINT
FORTINET

Web Filtering

Enforcing safe search can be done for Google, Bing and Yahoo. Safe search is an option that some
search engines have in order to apply their filters to the search results that are displayed. This way even
if Safe Search is disabled in the browser, the FortiGate will make sure the query is subject to whatever
settings the service decides. All the FortiGate can do is ensure that it is enabled. It cannot dictate the
behavior of this, as this task is up to the search engine providers. It works by looking for the Safe
Search string when you submit a search. If it is not there, the FortiGate unit will modify the request to
include it. This way, even if it is not enabled locally in the browser, it gets applied to the request as it
passes through the FortiGate.
YouTube EDU filtering is also available. This is a service offered by YouTube to educational institutions.
When you create an account with them they provide you with an identifier. Unlike normal Safe Search,
this does not append the URL, but adds an HTTP header into the packets. This identifies your school to
YouTube when people visit. Within your YouTube EDU account, you can configure the filters and
settings in order to limit video access.

FortiGate I Student Guide

444

DO NOT REPRINT
FORTINET

Web Filtering

There are several different components to web filtering, and when they are enabled, the inspection order
follows these steps.
The local static URL filter occurs first.
Second, FortiGuard category filtering determines a rating.
Finally advanced filters take place, like Safe search or removing Active X components.
After all the checks are done the information is handed off internally for virus scanning.

FortiGate I Student Guide

445

DO NOT REPRINT
FORTINET

Web Filtering

Heres a look at the web filter profile. Up at the top you can enable FortiGuard and assign the actions to
the various web site categories.
If you scroll down towards the bottom you will find the more advanced options that can be enabled, like
Safe Search and Static URL filtering. Once you have enabled and saved the settings you require, you
will need to apply the profile to your firewall policy to activate the options.

FortiGate I Student Guide

446

DO NOT REPRINT
FORTINET

Web Filtering

Web profile overrides change the rules that will be used to inspect traffic. Enabling them allows
authorized users to enter a passcode that will change the Web filter profile that inspects there traffic to
another profile. Proper configuration would mean this new profile had elevated access permissions and
allow additional websites. The new profile will be used to inspect ALL of their web traffic from that point
on, until the timer expires. Authentication must be enabled in order to use this. Once web profile
overrides are enabled, the FortiGuard block page will show an override link that users can select in order
to active this override.

Apply to Groups Select the user credentials that allow overrides.


Assign to Profile Which Web profile will be used, after a successful override.
Scope Who will be effected by the override.
Duration How long the override will last.

FortiGate I Student Guide

447

DO NOT REPRINT
FORTINET

Web Filtering

How the FortiGate handles HTTPS traffic is decided based on the settings of the SSL Inspection profile
that is applied to the Firewall Policy. SSL Certificate Inspection reads only unencrypted data from the
hello message, whereas Full SSL Inspection will proxy SSL, allowing for full content inspection.
SSL and Certificates are covered in more detail in the Certificate Operations module.

FortiGate I Student Guide

448

DO NOT REPRINT
FORTINET

Web Filtering

This is an example of the log message generated as a result of applying a web filter profile on a firewall
policy. Access details include information about the FortiGuard quota and category (if those are
enabled), which web filter profile was used to inspect the traffic, the URL and more details about the
event.

FortiGate I Student Guide

449

DO NOT REPRINT
FORTINET

Web Filtering

You can also view the raw log data by selecting the Download Raw Log button at the top right of the
GUI. When the downloaded file is opened, it will be a plain text file in a syslog format.

FortiGate I Student Guide

450

DO NOT REPRINT
FORTINET

Web Filtering

List of IPs to use for FortiGuard comes back from update server (FortiGuard Distribution Network or
FortiManager).

Weight Based on the difference in timezone between the FortiGate and this server (modified by
traffic)
RTT Return Trip Time
Flags D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
TZ Server timezone
Curr Lost current number of consecutive lost packets (in a row, resets to 0 when 1 packet
succeeds)
Total Lost total number of lost packets

List is a variable length, depending on the FortiGuard Distribution Network, but approximately 10 total
IPs is the average.

FortiGate I Student Guide

451

DO NOT REPRINT
FORTINET

Web Filtering

Logs can be used to determine the decision made by the FortiGate but this depends on the configured
settings. The firewall policy may not be set to log or the action could be set to accept. In both of those
cases no log event will be generated to record the decision.
This diagnostic shows the full URL in the output. In order to have it fit some of the output was chopped
off from this page. The source of the request, the hostname, URL, user (if authentication is enabled), the
profile used to examine the URL can all be determined by reading the output.

FortiGate I Student Guide

452

DO NOT REPRINT
FORTINET

Web Filtering

Here is a review of what we discussed. We showed:


An overview of web filtering functionality
Explained the different types and modes for web filtering
How static URL filtering works
How FortiGuard category filtering works
How to submit a website for rating
Different actions that can be associated with accessing a website
How to do a rating override and create a custom category
Applying a quota to a category
Introduced the Fortinet Bar
Showed how its possible to force safe search with some common websites
Explained the order of the checks involved with inspecting websites
Explained how to configure a web profile override
Finally we covered the basics of inspecting HTTPS traffic

FortiGate I Student Guide

453

DO NOT REPRINT
FORTINET

Application Control

In this lesson, you will learn about how to control network applications beyond simply
blocking or allowing a port number.

FortiGate I Student Guide

454

DO NOT REPRINT
FORTINET

Application Control

After completing this lesson, you should have these practical skills to apply application
control, keep it up-to-date, and monitor what applications are being used on your
network.
Lab exercises can help you to reinforce what youve learned.

FortiGate I Student Guide

455

DO NOT REPRINT
FORTINET

Application Control

Application control detects applications often, ones that waste bandwidth and
allows you to monitor and/or block the traffic. Like other UTM inspection, to use
application control, you must first set it up.
Unlike other forms of UTM, such as web filtering or antivirus, application control isnt
applied by a proxy. It uses IPSEngine. So it doesnt operate by built-in protocol states.
It matches patterns in the entire byte stream of the packet.
By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy
first parses HTTP and removes the protocol, and then scans only the payload inside.
Why does FortiGate use a flow-based scan for application control?

FortiGate I Student Guide

456

DO NOT REPRINT
FORTINET

Application Control

Because proxies cant easily detect peer-to-peer applications.


When HTTP and other protocols were designed, they were designed to be easy to
trace. In that way, administrators could easily give access to single servers behind NAT
devices such as routers and, later, firewalls.
But when peer-to-peer applications were designed, they had to be able to work without
assistance or cooperation from the network administrators. In order to achieve this,
the designers made them skilled at bypassing firewalls, and incredibly hard to detect.
Port randomization, pinholes, and changing encryption patterns are some of the
techniques that P2P protocols use.
These techniques make them difficult to bock via firewall policy, and also make them difficult to proxy.

FortiGate I Student Guide

457

DO NOT REPRINT
FORTINET

Application Control

Lets show how this works.


Here is a traditional, client-server architecture. There may be many clients of popular
sites, but often, such as with an office file server, its just between one client and one
server.
Traditional downloads use a defined protocol over a standard port number. Whether its
from a web or FTP site, the download is from a single IP address, to a single IP
address. So blocking this kind of traffic is easy: you only need one firewall policy.
But its more difficult for peer-to-peer downloads. Why?

FortiGate I Student Guide

458

DO NOT REPRINT
FORTINET

Application Control

Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers.
Each peer delivers part of the file. Interestingly, where many clients is a disadvantage
for client-server architectures, it is an advantage for peer-to-peer: as the number of
peers increases to n, the file is delivered n times faster.
Because popularity increases the speed of delivery unlike traditional client-server
architecture, where popularity could effectively cause a denial of service attack on the
server some software, such as BitTorrent distributions of Linux, and games
distributing new patches, leverage this advantage. Even if each client has little
bandwidth, together, they can offer more bandwidth for the download than many
powerful servers.
Conversely, in order to download the file, this also means that the requesting peer can
consume much more bandwidth per second than it could from only a single server.
Even if there is only one peer on your network, it can consume unusually large
amounts. And because the protocols are usually evasive, and there will be many
sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest
Wi-Fi, where the inside peer doesnt have a static IP address or even predictable
physical location, it can be extremely difficult to find and stop.

FortiGate I Student Guide

459

DO NOT REPRINT
FORTINET

Application Control

So how does application control block these applications, and more? It scans packets
passing through the FortiGate, and looks for patterns.
A particular application, such as Google Talk, is identified by matching known patterns
to its transmission patterns. So obviously it can only be accurately identified if this
stream is unique somehow. Not every application behaves in a unique way. Many reuse pre-existing, standard protocols and communications methods. For example,
many video games such as World of Warcraft now use the BitTorrent protocol to
distribute game patches.
Application control only scans the network traffic. Application control doesnt scan
software installed on the client; this would require software to be installed on the
endpoint, such as a FortiScan agent. So it wont detect software until it starts and
connects to the network.
Application control does not use FortiGates proxies. So unlike some other UTM profiles, you cant
switch between proxy- and flow-based inspection.

FortiGate I Student Guide

460

DO NOT REPRINT
FORTINET

Application Control

Before you try to control applications, its important to understand how that works.
How does application control detect the newest applications, and changes to those application
protocols?
To do this, you can configure your FortiGate to automatically update its application control signature
database, in the same way that it polls FortiGuard for new IPS signatures.
The extended IPS signature package includes more application control signatures. So if you dont find
the ones you need initially, you can enable that option to download more.

FortiGate I Student Guide

461

DO NOT REPRINT
FORTINET

Application Control

To view the signatures that your FortiGate has downloaded, click the View Application
Signatures link in the application control profile.
Remember, if you did not enable download of the extended IPS database, FortiGuard
may have more signatures available that you do not see in the GUI. To see those, visit
the FortiGuard web site.

FortiGate I Student Guide

462

DO NOT REPRINT
FORTINET

Application Control

On the FortiGuard web site, you can read details about each signatures related
application. Lets look at an example.
This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in
the Collaboration category. The article mentions that Google Talk, like many instant
messengers now, uses the Jabber protocol. So if you block the application, the logs
may show the Jabber protocol, even though the application that the user has installed
is named Google Talk.
If there are any special requirements in order to scan or block the application, the
article provides some advice. But its always wise to search the Internet for more
information, and to make test policies and observe the behavior.
At the top of the page, youll also notice a risk rating

FortiGate I Student Guide

463

DO NOT REPRINT
FORTINET

Application Control

When building an application control signature, FortiGuards security research team evaluates the
application and assigns a risk level. It is based on the types of security risk. The rating is Fortinetspecific, and not related to CVSS or other external systems.
If you arent aware of specific software, this information can help you to decide if it would be wise to
block the software or not.

FortiGate I Student Guide

464

DO NOT REPRINT
FORTINET

Application Control

If there are new applications that you need to control, and the latest update doesnt
have any definitions for them, you can ask FortiGuard to add them.
Remember, though, that not all applications can be uniquely defined. That is to say,
there must be something about the traffic that can be used to differentiate it from other
similar traffic: traffic that occurs on the same port, or via the same protocol.

FortiGate I Student Guide

465

DO NOT REPRINT
FORTINET

Application Control

Once you have a signature, the next step is to define your settings to control it. Do this in an application
sensor.
Then, to apply your application control settings, select the profile in the firewall policy .
Like any other security profile, these settings are not global. FortiGate will only apply them to traffic
governed by the firewall policy where youve selected an application control profile. This allows granular
control.

FortiGate I Student Guide

466

DO NOT REPRINT
FORTINET

Application Control

Did you see these two at the end of the list of categories? They are catch-all
categories:
All Other Known Applications
All Other Unknown Applications
All Other Known Applications matches traffic that can be identified, but that, in the
profile, you did not explicitly enable. This is because some categories are only directly
configurable through the CLI: the ones that are in the extended IPS database.
All Other Unknown Applications matches traffic that could not be identified. Application
control will create a log entry that says the traffic is an Unknown Application.
Depending on:
how many rare applications your users have
which IPS database you are using (remember, the default IPS database can identify
fewer rare applications than the extended one)
this might cause many log entries. Frequent log entries decrease performance.

FortiGate I Student Guide

467

DO NOT REPRINT
FORTINET

Application Control

Once youve applied application control, FortiGate will start to scan packets for
matches. It will do this in a specific order.
There are two major sections to the application control profile:
Categories is at the top
Application Overrides below Categories
First, IPSEngine examines the traffic stream for a signature match. If youve configured
any overrides, application control considers those first. It looks for a matching override
starting at the top of the list, like firewall policies. If no matching override exists, then
application control applies the action that youve configured for applications in your
selected categories.
Multiple overrides for the same signature cannot be created.

FortiGate I Student Guide

468

DO NOT REPRINT
FORTINET

Application Control

Both categories and overrides actions are configurable.

Allow Simply passes the traffic


Monitor Passes the traffic, but also records a log message
Block Drops the detected traffic without notifying the client, and records a log message
Reset Resets the TCP connection, and records a log message
Traffic Shaping Rate limits the application so that it doesnt deprive more important traffic of
bandwidth, and also record a log message

Which is the correct action to select? It depends on the application. If an application requires feedback to
prevent instability or other unwanted behavior, then you might use Reset instead of Block. If you need
to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping
might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.

FortiGate I Student Guide

469

DO NOT REPRINT
FORTINET

Application Control

Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where
application control occurs.
Application control is later than many of FortiGates other scans and actions, such as for VPN ingress
and DoS.
But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never
does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from
IPSEngine, just like application control. But if you have configured application control to allow the traffic
not block it or reset the TCP connection then FortiGate will proceed to the next scans: email filtering,
web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.

FortiGate I Student Guide

470

DO NOT REPRINT
FORTINET

Application Control

Here is an example of how several UTM features could work together, overlap, or as substitutes, on the
same traffic.
In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For
those applications, FortiGate responds with application controls HTTP block message. (Its slightly
different than web filterings HTTP block message.) But at the bottom of this profile, there are some
exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube.
After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too,
could block Facebook and YouTube, but it would use its own message. Also, web filtering doesnt check
the list of application control overrides. So even if an application control override allows and rate
limits an app, web filtering could still block it.
Similarly, static URL filtering has its own Exempt action, which bypasses all subsequent security
checks. However, application control occurs before web filtering, so that web filtering exemption cant
bypass application control.

FortiGate I Student Guide

471

DO NOT REPRINT
FORTINET

Application Control

For HTTP-based applications, application control can provide some feedback to the user about why their
application was blocked. This is called a block page, and its similar to the one you can configure for
URLs that you block via FortiGuard Web Filtering.
The block page says:
which signature detected the application (in this case, HTTP.Browser_Firefox)
the signatures category (Web.Others)
the URL that was specifically blocked (in this case, the index page of msn.com), since a web page
can be assembled from multiple URLs
the clients source IP (10.0.1.10)
the servers destination IP (23.101.196.141)
user name (if authentication is enabled)
the UUID of the policy governing the traffic
and the FortiGates host name
The last two pieces of information can help you to find which FortiGate blocked the page, even if you
have a large network with many FortiGates securing different segments.

FortiGate I Student Guide

472

DO NOT REPRINT
FORTINET

Application Control

If an application is necessary, but you do need to prevent it from impacting bandwidth


for more sensitive streaming applications such as video conferencing, then instead of
blocking it entirely you can rate limit the application.
Shaping traffic via application control is very useful when you are trying to limit traffic
that uses the same TCP or UDP port numbers as a mission-critical application. Some
high-traffic web sites such as YouTube can be throttled in this way.

FortiGate I Student Guide

473

DO NOT REPRINT
FORTINET

Application Control

Lets say that you have enabled application control because users have been
complaining that the network is slow. During peak times, you notice that there is no
bandwidth remaining. Application control with the Monitor action selected showed
that many users were using YouTube, and it correlated to periods of bandwidth
saturation.
How could you solve this?
With web filtering, you can see that www.youtube.com is often accessed, but it doesnt
analyze the function of each URL. And it cant apply traffic shaping.
Alternatively, since YouTube generates large volumes of traffic, you could use
application control signatures with a traffic shaping action. Lets examine the details of
how that could work.

FortiGate I Student Guide

21

474

DO NOT REPRINT
FORTINET

Application Control

Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP
requests for:
the web page itself
Images
Scripts and style sheets
Video
and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves
doesnt use much bandwidth. Mostly, the culprit is the video.
But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically
generated alphanumeric strings:
traditional firewall policies cant block or throttle it by port number/protocol, which are all the same
web filtering cannot apply traffic shaping
With application control, you can rate limit only the videos. This prevents users from saturating your
network bandwidth while still allowing them to access the other content on the site, such as for
comments or sharing links.

FortiGate I Student Guide

475

DO NOT REPRINT
FORTINET

Application Control

At the bottom of the application sensor, there are more options that affect how application control
functions.
Deep Inspection of Cloud Applications does not enable SSL Inspection. Many applications are
switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection
profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you
havent enabled SSL/SSH inspection, then application control wont be able to recognize the application.
If you choose to enable Allow and Log DNS Traffic, be aware that you should only do it for short
periods, such as during an investigation. Leaving this option enabled for long periods can impact
performance and cause premature disk failure. One log is created per packet. So depending on the
application, and how often it queries DNS servers, this can use significant system resources.
Replacement Messages for HTTP-based Applications allows you to replace blocked content with an
explanation for the users benefit. Application control can also link into the Fortinet Bar, if that has been
enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP
connection.

FortiGate I Student Guide

476

DO NOT REPRINT
FORTINET

Application Control

If you have logging enabled, you can use it to discover which applications are being used on your
network, and details about them. Look in Log & Report > Security Log > Application Control.
In this example, application control detected a client attempting to access Facebook. The configured
action was to monitor the traffic. We know this because the Action indicates pass, so we know
FortiGate didnt block the traffic. But the action wasnt to simply allow the traffic without logging, either,
which we know because the log message exists.
To view details about the log message, click its entry. The application name is a link to the FortiGuard
encyclopedia web site. If you were unaware of the application, and dont know what type of risks it
presents, you could click the link to read more.

FortiGate I Student Guide

477

DO NOT REPRINT
FORTINET

Application Control

If you look in the forward traffic log, where firewall policies record activity, youll also find a summary of
traffic where FortiGate applied application control. Again, this is because application control is applied by
a firewall policy.
To find which policy applied application control, you can use either the Policy ID or the Policy UUID
fields of this log message.

FortiGate I Student Guide

478

DO NOT REPRINT
FORTINET

Application Control

To review, here is what we discussed. We discussed:


How application control identifies traffic
Why some traffic, especially peer-to-peer, is hard to block without application control
FortiGuards 5-point rating system for application control signatures
How to submit requests for additional applications
How to configure an application control sensor
When to shape traffic
Order of operations for the application control and IPSEngine processes
How to read logs to discover which applications have been detected, and which
action FortiGate applied

FortiGate I Student Guide

479

Vous aimerez peut-être aussi