Académique Documents
Professionnel Documents
Culture Documents
0
UseCase: Fortinet Engineered for Remote and Secure Productivity
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Fortinet Teleworker Solution
Organizations face a number of different potential emergency situations, such as illness, flood,
hurricanes, and power outages. Implementing a business continuity plan is essential to ensuring
that the organization is capable of maintaining operations in the face of adversity and preparing
for potential disasters.
An important consideration for organizations developing a business continuity plan is that the
organization may not be capable of sustaining normal operations onsite. The ability to support
employees working remotely is essential to ensuring both business continuity and security.
Fortinet solutions offer an integrated solution to support telework. FortiGate next-generation
firewalls (NGFWs) have built-in support for IPsec virtual private networks (VPNs), enabling
remote workers to connect securely to the company network. With endpoint protection,
provided by FortiClient, and multi-factor authentication (MFA) with FortiAuthenticator,
organizations can securely support remote work and maintain business continuity.
Index: 1.0 (a)
UseCase: Fortinet Engineered for Remote and Secure Productivity
Objective Title: Topology
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Agenda
In the following lab exercises you will understand how to easy it is to provide remote
teleworkers with secure access to internal corporate resources by completing the following
objectives:
Topic Time
Lab 1: Introduction, Topology and Agenda 5 Minutes
Lab 2: Configure Remote User Authentication 10 Minutes
Lab 3: Configure Gateway IPsec VPN 5 Minutes
Lab 4: Configure Client Two-Factor Authentication 5 Minutes
Lab 5: Configure Remote User Protection 10 Minutes
Lab 6: Demonstrate Remote User Secure Productivity 20 Minutes
Lab 7: Conclusion 5 Minutes
Index: 2.0
UseCase: Configure Remote User Authentication
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Introduction
Remote teleworkers require secure access to internal resources at corporate offices to remain
productive when off-site. The first step in any remote worker scenario is ensure that users can
be properly authenticated regardless of location.
Time to Complete: 10 minutes
Index: 2.0 (a)
UseCase: Configure Remote User Authentication
Objective Title: Import FortiToken Mobile Tokens
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Background
FortiAuthenticator provides services which are key in creating effective security policy,
strengthening security by ensuring only the right person at the right time can access your
sensitive networks and data. The following settings have been pre-configured on
FortiAuthenticator:
1. Remote LDAP server to import Active Directory user/user groups and provide Windows
AD domain authentication using Kerberos.
2. FortiGate-Edge as a RADIUS client so that FortiAuthenticator can accept RADIUS
authentication requests from a FortiGate unit.
Tasks
Note: If there are any existing FortiTokens, select and delete all of them.
Note: User bob is an Active Directory user account that has been pre-imported into
FortiAuthenticator via LDAP integration with AD through Authentication > User
Management > Remote Users.
3. Click Edit.
Note: Token serial number will differ from the one shown in the screenshot
below
5. Expand User Information and make sure the following email address has been
configured:
· Email address: bob@acmecorp.net
6. Click OK.
Question: Which of the following are valid methods of administering FortiToken? (Choose all
that apply)
Hint: 1 Points: 3
Hint Text:
Hint
Hint: 2 Points: 3
Hint Text:
Hint
· Includes two factor tokens through FortiToken Mobile app which simplifies user input to
“click to accept”
Hint: 3 Points: 3
Hint Text:
Hint
Answer: checkbox
Answer Text:
Answer
· Centralized Authentication
· Multifactor Authentication
· Cloud based Token IDaaS Service
· Single Sign-on
· Guest Management
· Device Onboarding
Answer Key:
7
Index: 2.0 (b)
UseCase: Configure Remote User Authentication
Objective Title: Enable Two-Factor Authentication for Remote User
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Background
You will set up FortiAuthenticator to function as a RADIUS server to allow IPsec VPN users to
authenticate with a FortiToken.
Tasks
2. Click User & Device > RADIUS Servers > Create New and use the following information:
· Name: FAC_Server
· Secret: Fortinet1!
7. Click User & Device > User Groups > Create New and use the following information:
· Name: IPsec_VPN_Users
· Type: Firewall
3. Click OK.
4. Click OK.
Question: To confirm a user’s identity after authentication, which of the following is checked
first? (Choose one)
Answer: radio
Answer Text:
Answer
In most cases, the FortiGate unit authenticates users by requesting their username and
password. The FortiGate unit checks local user accounts first. If a match is not found, the
FortiGate unit checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group.
Authentication succeeds when a matching username and password are found. If the user
belongs to multiple groups on a server, those groups will be matched as well.
Answer Key:
8
Index: 3.0
UseCase: Configure IPsec VPN
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Introduction
Virtual Private Network (VPN) technology lets remote users connect to private computer
networks to gain access to their resources in a secure way. For example, an employee traveling
or working at home can use a VPN to securely access the office network through the Internet.
Instead of remotely logging into a private network using an unencrypted and unsecured
Internet connection, using a VPN ensures that unauthorized parties cannot access the office
network and cannot intercept information going between the employee and the office. Another
common use of a VPN is to connect the private networks of multiple offices.
Fortinet offers VPN capabilities in the FortiGate Unified Threat Management (UTM) appliance
and in the FortiClient Endpoint Security suite of applications. You can install a FortiGate unit on
a private network and install FortiClient software on the user’s computer. You can also use a
FortiGate unit to connect to the private network instead of using FortiClient software.
For the purposes of this lab we will be focusing on FortiClient IPsec Tunnels
Tasks
8. Login to FortiGate-Edge.
9. Click VPN > IPsec Wizard.
10. Use the following information:
· Name: Teleworkers
3. Click Next.
4. Use the following Authentication settings:
· Incoming Interface: WAN (port3)
· Authentication Method: Pre-shared key
· Pre-shared key: Fortinet1!
· Leave Subnet Mask, DNS Server, Enable IPv4 Split Tunnel and Allow Endpoint
Registration settings set to default.
Note: By default, IPv4 Split Tunnel is enabled. In this configuration, remote users
are able to securely access the HQ internal network through the HQ firewall, yet
browse the Internet without going through the head office.
7. Click Next.
8. Use the following Client Options settings:
· Save Password: Turn on
· Auto Connect: Turn on
Note: When FortiClient is launched, the VPN connection will automatically
connect.
· Always Up (Keep Alive): Turn on
Note: When selected, the VPN connection is always up, even when no data is
being processed. If the connection fails, keep alive packets sent to the FortiGate
will sense when the VPN connection is available and re-connect VPN.
9. Click Create.
Note: After you create the tunnel, a summary page appears listing the objects which
have been added to the FortiGate's configuration by the wizard.
Question: (True or False) By enabling Split Tunnel you can avoid overloading system resources
on the HQ firewall and send the remote client’s Internet traffic (For example, YouTube, Netflix
etc.) through their local ISP router?
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
1
Index: 4.0
UseCase: Configure Client Two-Factor Authentication
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Introduction
Passwords alone don't keep unwanted guests out of your network. Password-only
authentication has led to security breaches, malware infections, and policy violations. With two-
factor authentication, a password is used along with a security token and authentication server
to provide far better security. Authorized employees can access company resources safely using
a variety of devices, ranging from laptops to mobile phones.
Background
FortiToken confirms the identity of users by adding a second factor to the authentication
process through physical or mobile application based tokens.
Tasks
3. Check bob’s inbox and open the email with subject line FortiToken Mobile activation.
4. Select and right-click to copy the activation code without quotation marks provided in
the email.
Note: Your activation code will differ from the one provided in the image below.
Note: In case the Android VM tablet screen is in sleep mode and presents a blank
screen, click Virtual Keyboard icon ‘Ctrl-Alt-Del’ located at left side on CloudShare to
send a keystroke.
CAUTION: The proper use of FortiToken is highly dependent upon time synchronization
between all the devices. It is likely that the virtualized Android tablet in the lab
environment will not have the correct system time. This is easily corrected by using the
installed NTP & GPS Clock application.
Note: You should see a significant Offset value indicating that the clocks are out of sync.
9. Long press (Click and hold) within the box labelled Offset to synchronize the time
Note: The time offset should now be minimal.
10. Verify that the time is the same on the Windows 10 (Remote) and Android Tablet
(Remote) devices.
15. To paste the activation code copied earlier, click anywhere in the activation code space
area.
16. Click Virtual Keyboard icon ‘Send Text’ located at left side on CloudShare.
17. In the Send Text window, right-click and click Paste to paste the activation code.
18. Click Send. The activation code should be automatically pasted in the FortiToken Mobile
application. If the full 16-digit code doesn’t get automatically pasted, enter it manually.
Note: Make sure that the 16-digit activation code pasted in the FortiToken Mobile app
matches exactly with the one provided in email. You may need to type the activation
code manually if there is a mismatch.
Note: PIN will be used for secure access to your application and tokens.
21. Enter a four-digit PIN 1234. Confirm the PIN one more time by typing it again.
Note: A token code with a timer should appear which means the FortiToken Mobile has
been successfully set up.
Index: 5.0
UseCase: Configure Remote User Protection
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Introduction
Endpoints are frequently the target of initial compromise or attacks. One recent study found
that 30% of breaches involved malware being installed on endpoints. FortiClient Fabric Agent
strengthens endpoint security through integrated visibility, control, and proactive defense. With
the ability to discover, monitor, and assess endpoint risks, you can ensure endpoint compliance,
mitigate risks, and reduce exposure. FortiClient Fabric Agent proactively defends against
advanced attacks. Its tight integration with the Security Fabric enables policy-based automation
to contain threats and control outbreaks. FortiClient Fabric Agent is compatible with Fabric-
Ready partners to further strengthen enterprises’ security posture.
Background
Tasks
12. From Jumpbox Server, login into FortiClient EMS server at https://192.168.0.125 or use
the browser bookmark.
Username: admin Password: Fortinet1!
8. Click Cloud.
Background
Endpoint policies makes it simpler to provision endpoints. You can now create and manage
endpoint policies to assign profiles and/or Telemetry gateway lists to domains, OUs, and
workgroups. You can also create and manage Chromebook policies to assign profiles to Google
domains.
Tasks
· Click Save.
4. Click Change Priority located at top right corner.
5. Click on three dots icon and drag your mouse to move Teleworkers policy to the top of
the list.
Question: Which of the following subnets (pre-configured) determines if the endpoint is On-
Net? (Choose One)
Hint: 1 Points: 4
Hint Text:
Hint
Answer: radio
Answer Text:
Answer
The endpoint has a status of on-net when the endpoint is inside one of the on-net subnets
defined in the FortiClient EMS under Policy Components > On-net Detection Rules. In this case,
On-Net-HQ-172.16.100.0/24 rule (pre-configured) defines any endpoint outside of
172.16.100.0/24 (HQ’s DC_Network) should be considered off-net.
Answer Key:
2
Index: 6.0
UseCase: Demonstrate Remote User Secure Productivity
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Introduction
While working remotely employees need to utilize corporate resources and safely traverse the
internet from a remote location such as their home, a coffee shop, an airport, or customer
location. In the previous exercises you have addressed the need for a secure and private
connection across the public internet, as well as the ability to verify identity to the organization
when connecting to the network, sensitive applications, or protected data.
In the following exercises you will now demonstrate the power and protection these simple
efforts can bring to your organization and remote users.
Background
Using FortiClient and the FortiToken Mobile application remote users can quickly and securely
connect to the corporate network.
Tasks
19. Click CON icon located at left on CloudShare under Remote Access Controls to switch to
console connection.
Note: When initiating a remote VPN connection, RDP connectivity will be lost as new
routes are injected into the routing table.
3. Click Send Ctrl-Alt-Delete icon located at left on CloudShare under Virtual Keyboard.
4. Login to the Windows machine using Bob’s credentials:
Username: bob Password: Fortinet1!
Note: Within a few seconds, FortiClient Fabric Agent would sync with the EMS server via
Telemetry and start receiving configuration updates. All protection profiles such as
Malware Protection, Sandbox Detection, Web Filter, Application Firewall would be
enabled.
9. Click Save.
Login into HQ-VPN
Note: If username/password prompt hasn’t showed up, navigate to any other section in
FortiClient and then click Remote Access.
3. Click Connect.
Note: Since you enforced two-factor authentication for user bob on FortiGate-Edge, a
prompt will come up asking for Token code.
4. Go to Android Tablet via CloudShare tab.
5. If the screen is in sleep mode, click Send Ctrl-Alt-Delete icon located at left on
CloudShare under Virtual Keyboard to wake it up.
6. Open FortiToken Mobile application to view the six-digit code.
Note: If asked for a PIN, enter 1234. If the token code is not visible, click on eye icon to
view the code. If the timer is about to expire, wait for a new code because by the time
you enter the token code into FortiClient, it would have already expired.
7. Enter the six-digit token code in FortiClient.
8. Click OK. The VPN connection should be up. FortiClient console would be minimized and
can be viewed from system tray.
Index: 6.0 (b)
UseCase: Demonstrate Remote User Secure Productivity
Objective Title: Secure Access to Corporate Resources
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Background
Once connected access to remote folders, files and other network resources is as seamless as
being in the office.
Tasks
22. Now that the VPN is up and running, in the Start > Run dialog box on remote Windows
10 Remote, type the path \\172.16.100.10\Marketing.
Note: 172.16.100.10 is the IP address of Windows Server 2012 sitting in the HQ office.
Since you are connected to HQ through VPN, you will have access to HQ resources, for
example, SMB file shares, shared folders etc. in the same manner as you would have
while sitting in your cubicle locally in HQ itself.
2. Click OK.
Background
Working remotely does not mean that users need to sacrifice security. Security policies for
remote vs. local users can be exactly the same, or adjusted to account for individual work
requirements.
Tasks
8. Scroll down to Site Categories. Click + to expand Adult/Mature Content FortiGuard web
category.
9. Click drop-down icon beside Gambling web category and click Block.
10. Click Save.
12. Click user bob and view Summary to see device information, location, policy
configuration, FortiClient version, AV or application control signature versions, events
and much more.
Note: FortiClient EMS provides visibility across the network to securely share
information and assign security profiles to endpoints.
13. Click checkmark box to select Bob’s Windows 10 machine.
14. Click Scan to view the available AV scan and Vulnerability scan options.
Note: Running the Vulnerability Scan from a centralized EMS server allows
administrators to get a good idea of high risk hosts and critical vulnerabilities existing on
endpoints. It also provides links on how to fix or repair the vulnerabilities.
15. Click Vulnerability Scan to start a vulnerability scan on Bob’s Windows 10 (Remote) host.
Note: Let the scan run in background as it would take some time for the scan to finish
successfully. Please continue to the next step.
16. Login to Windows 10 Remote.
17. Open Google Chrome.
Note: DON’T add the web filter Chrome extension if you see installation prompt.
18. Click betway browser bookmark.
19. A certificate error comes up. Click Advanced to proceed to website.
20. A block page appears which means access to gambling website has been blocked by the
FortiClient web filter.
Note: EMS pushed configuration updates to FortiClient after change was made to
Teleworkers endpoint profile’s web filter. Also, if you remember, you enabled split tunnel
option for Teleworkers IPsec VPN. So, Windows 10 Remote machine’s all internet traffic
is routed through local ISP router. In such scenarios, FortiClient can successfully provide
critical protection to corporate assets without overloading your organization’s Edge
firewall.
21. Open FortiClient console and click VULNERABILITY SCAN to see critical, high, medium
and low risk vulnerabilities detected on Windows 10 (Remote).
Note: If vulnerability scan is still in progress, please continue to the next objective. Once you
have completed all the use cases, you can always come back to check again. For more
information on patching vulnerabilities, endpoint grouping/tagging and additional endpoint
management functionalities that FortiClient EMS offers, do consider having a look at the
Endpoint Solution Fast Track.
Index: 6.0 (d)
UseCase: Demonstrate Remote User Secure Productivity
Objective Title: Remote Telephony
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Background
FortiFone provides unified voice communications with VoIP connectivity that is secured and
managed via FortiGate NGFWs. The FortiFone soft client interface allows users to make or
receive calls, access voicemail, check call history, and search the organization’s directory right
from a mobile device.
In this exercise you will demonstrate how workers can still access their office extension even
when working remotely.
Tasks
Note: A soft phone extension for alice (ext. 5000) sitting on Windows Server (HQ) has
been pre-configured.
3. Click New and use the following information:
· Number: 5500
6. Click Create.
30. Select entry with Display Name bob and click Edit.
2. On the left side of the screen, under Sound, choose Enabled with High Quality from the
drop-down list.
· Server: 172.16.100.15
Note: Since, you are connected to the HQ-VPN, FortiFone can register to the
FortiVoice server’s local IP address in the DC_Network.
· Username: 5500
Note: 5500 is the IP extension configured earlier for user bob
· Password: 12345
5. Click Login.
34. Once the FortiFone is successfully registered, type Alice’s extension 5000 using keypad
and click dial button.
7. Login into Windows Server (HQ) and you should see an incoming call from Bob.
Note: If you decide to pick up the FortiFone installed on Windows Server (Alice), the call
will drop and an error prompt ‘Microphone not detected' will show up on Alice’s
FortiFone. This is expected behavior. The issue is due to hardware limitations in the
hosted lab environment and is not representative of production use. The setup would
work seamlessly in a real production environment. The sole purpose of this whole lab
objective is just to demonstrate that remote telephony can be established using
FortiVoice and FortiFones and the task goal has been accomplished successfully.
Index: 7.0
UseCase: Conclusion
Objective Title: Review
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Review
After completing this Fast Track module, you should understand how to:
· Configure two-factor authentication necessary for secure access
· Create an inbound VPN policy on FortiGate that allows teleworkers to tunnel back to
corporate headquarters
· Configure Fortinet Endpoint Management Server (EMS) to protect remote users as
effectively as if they were located at the corporate office
· Demonstrate successful operation of these critical functions
Index: 7.0 (a)
UseCase: Conclusion
Objective Title: End of Session
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Hands-On Lab
Thank You
Please take a moment to complete our short survey located within web portal tab above.