Vous êtes sur la page 1sur 405
RTINET. ae = - TRAINING SERVICES FortiGate Multi-Threat Security Systems Administration, Content Inspection and Basic VPN Access Course 201-v4.0 www.fortinet.com Contents Course Overview.. Course Objectives Proraquistes. Who Should Attend... Cettitication. . Self-Paced Training Course Course Evaluation (for Self-Paced Training Studenis) Lesson 1 - Overview and System Setup Unified Threat Management The Fortinet Solution. FortiGate : 8 FortiGuard 10 FortiManager 10 FOrtiANalYZ0F ae nsnemnnnennennsn 10 FortiMall eet "4 FortiClient.. eee : "4 Firewall Basics 12 Types of Firewalls : aes 14 Network Address Translation, ne 16 Fotiate 7 FortiGate Capabilies eee ely FortiGate Unit Description 2 FortiGate Front View 2 FortiGate Back View 2B Operating Modes... ad Device Administration .o.sune 6 Web Contig. 6 ‘Command Line Interface (CLI) enn oT Administrative Users. a a7 Interface Addressing ee 48 DNS 52 Configuration Backup and Restore 53 Firmware Upgrades 54 Lab 1 - Initial Setup . 55 Lesson 2 - FortiGuard Subscription Services FortiGuard Distribution Network. : 75 Connecting to the FortiGuard Servers ” FortiGuard Antivirus Service a 78 FortiGuard intrusion Protection System Service f 79 FortiGuard Web Filtering Service. FortiGuard Rating Server, FortiGuard Web Filtering Service FortiGuard Antispam Service Antispam Filters, Spam Filtering Techniques. Enabling FortiGuard Subscriptions Services, Licensing, : Scheduled Updates Push Updates Manual Updates. Caching i : FortiGuard Web Filtering Categories. Antispam Controls Configuring FortiGuard Subscription Services Using the CLI FortiGuard Center Lab 2 - Fortinet Subscription Services Lesson 3 - Logging and Alerts.. Log Storage Locations Local Hard Disk FortiAnalyzer. ‘System Memory.. Syslog FortiGuard Analysis Service Logging to Multiple FortiAnalyzer Units or Syslog Servers. Logging Levels Emergency. Alert Critical... Error. Warning Notification Information Debug 80 80 80 81 81 4 83 83 8 89 90 92 93 94 96 101 101 101 102 103 104 105 105 108 107 107 107 107 107 107 107 107 Log Types eee 108 Event Log. oe eos Traffic Log, eet 108 Attack Log 108 AntiVirus Log 108 Web Filter Log 108 ‘AntiSpam Log - 108 DLP Log 109 Application Control Log. 109 Configuring Logging 110 Selecting Location and Level. : 110 Enabling Log Generation : see 1H Viewing Log Files 115 Log Display Formats ce 116 Content Archiving so 119 Enabling Content Archiving woo 120 Viewing Content Archives : 21 Alert Email 12 Configuring Alert Email : 122 SNMP 123 Configuring SNMP. eee 123 Configuring an interface for SNMP Access 125 Lab 3 - Logging and Monitoring 127 Lesson 4 - Firewall Policies sen 437 Overview : ace 137 Policy Matching : 138 Firewall Policy List “ i 139 User Authentication to Firewall Policies... ae 142 ‘Authentication Protocols. : : 142 Creating or Editing Policies. : 143 Firowall AdUTOSSOS 6. : 144 Firewall Schedules. : on 149 Firewall Services. seer NAT. 154 Virtual IPs 187 Protection Profiles. 161 Traffic Shaping 173 Disclaimers ee 178 Lab 4 - Firewall Policies... . wn 79 Lesson 5 - Basic VPN FortiGate VPN SSL VPN. PPTP VPN IPsec VPN SSLVPN Operating Modes User Accounts Configuration Overview Enabling SSL VPN and Configuring SSL VPN Settings. Firewall Policies SSL VPN bookmarks. Connecting to the VPN PPTP VPN Infrastructure Requirements FortiGate PPTP Topologies PPTP Server Configuration PPTP Pass-Through Configuration IPSec VPNs IPSeC PrOOCOIS nnn Modes of Operation .. Security Association (SA) Internet Key Exchange (IKE) Network Topologies Gateway-to-Gateway Configuration Defining Phase 1 Parameters. Firewall Policies Lab 5- SSL and IPSec VPN Lesson 6 - Authentication Overview, ‘Authentication Methods. Local Remote Users and User Groups Users User Groups ‘Authentication Settings P&I Authentication. X.509 Centticates . RADIUS Authentication Configuring a RADIUS Server 195 198 195 196 196 197 197 200 204 206 209 219 222 223 224 226 226 227 wn 228 228 230 230 231 233 234 235 247 251 263 263, 264 264 264 266 266 287 272 273, 273, 274 274 wv LDAP Authentication Configuring an LDAP Server TACACS+ Configuring a TACACS+ Server Microsoft Active Directory Authentication. Fortinet Server Authentication Extensions (FSAE), FSAE Configuration on the Microsoft Active Directory Server. FSAE Configuration on the FortiGate Unit. Lab 6 - Authentication Lesson 7 - Antivirus. Antivirus Elements File Filter Virus Scan Grayware ... Heuristics File Fiter Fite patter: File type Actions. Enabling File Filtering, File Filter List Catalog New File Filter List File Filter Pattern List Virus Scan. Updating the Antivirus Definitions Grayware. Grayware Categories Spyware. Quarantine Quarantined Files List Configuring Quarantine Options Proxies Splicing Client Comforting 275 275 276 276 27 arr 279 281 282 289 289 230 290 220 .. 290 291 291 291 291 292 293 294 297 298 299 300 301 304 306 306 307 308 308 308 Scanning Options ae 309 Extended AV Database . 309 Oversized File/Email 310 Signatures 310 Replacement Messages 310 ‘Scanning Non-Standard Ports 310 Uncompressed Size Limit zi 310 Lab 7 - Antivirus Scanning eee seven BMY Lesson 8 - Spam Filtering 321 ‘Spam Filtering Methods 322 IP Address Check 322 URL Check 322 Email Checksum Check. 322 Spam Submission. eee 322 Blacl White List : fae 322 HELO DNS Lookup. a 322 Return E-mail DNS Check. 323 Banned Word. 323 MIME Headers Check, 323 DNSBL and ORDBL «snes i 323 FortiGuard Antispam a 324 Global FIRETS.ce - 324 Customized Filters : i 325 Enabling Antispam... eae 326 ‘Spam Actions. eae 327 Banned Word ans i . 328 Banned Word List Catalog. : 328 New Banned Word List... i 329 Configuring Banned Words.....nrssrnsienn ssn sores 380 Banned Word List : 331 Black/White List 335 IP Address Filtering on 7 335 Email Address List Filtering seve 339 Multipurpose internet Mail Extensions (MIME) Headers Check. 343 DNS Blackhole List and Open Relay Database List 344 FortiMail Antispam 345 wl Lesson 9 - Web Filtering. Order of Fittering Web Content Block Web Content Block List Catalog New Web Content Block List New Banned Pattern List Web Content Block List Web Content Exemption Web Content Exempt List Catalog. New Web Content Exempt List New Web Conient Exempt Patterns Web Content Exempt List Enabling Web Filtering URL Filter URL Filter List Catalog New URL Filter List New URL Filter List Entry URL Filter List. FortiGuard Web Filter Web Filtering Categories Web Filtering Classes. Enabling FortiGuard Web Filtering ‘Web Filtering Override Lab 8 - Web Filtering. Appendix 1 - Fortinet Certification... Fortinet Certified Network Security Administrator (FCNSA). Forlinet Certified Network Security Professional (FCNSP), Forlinet Certified Trainer (FCT) Forlinet Certified Network Security Administrator Suggested Reading Highly Recommended Mandatory. Forlinet Certified Network Security Professional Suggested Reading Highly Recommended Mandatory. Certifcation Exams 349 349 360 360 351 382 353 354 . 354 355 356 357 358 359 369 360 361 362 363 364 365 366 369 378 387 387 387 387 388 388 388 388 320 390 391 391 393, vi vith Course Overview Course Overview This course provides an introduction to the configuration and administration of FortiGate Unified Threat Management appliances, ‘Through a variety of hands-on labs, you will learn about the most common features of the FortiGate unit. You will gain a solid understanding of how to integrate the FortiGate unit into your existing environment and the operational maintenance involved to ensure optimal performance and full protection of your corporate assets. ATINET. i Course 201-v4.0 Administration, Content Inspection and Besic VPN Access 01-4000-0201-20090504 Course Objectives F®SATINET. Course Objectives Upon completion of this course, students will be able to: Use Web Contig and CLI to complete the following administration and maintenance tasks for FortiGate devices: system settings and network configuration creating administrative accounts performing system backups monitoring system alerts, device performance and operational status ForliGuard Distribution Network Services and updates ‘managing fimware to ensure availability and reliability Implement logging and monitoring features of the FortiGate device using a FortiAnalyzer appliance for content archiving Construct firewall policies with content inspection, schedules, source and service type restrictions, and log unauthorized traffic ‘Apply firewall policy options for authentication, virtual IP address, IP pool, and tratfic shaping Create firewall protection profiles to implement FortiGate antivirus features ‘such as file pattern blocking, graywere scanning, fle quarantine, and antivirus scanning Configure antispam fitering using the subscription-based FortiGuard Antispam Service and banned word methods Use FortiGate Web Filtering features including URL filtering, content blocking, and the FortiGuard Web Filtering Service Understand the differences between NAT/Route and Transparent operational modes ‘Course 201-v4.0 Administration, Content inspection and Basic VPN Access ‘01-4000-0201-20090501 Course Objectives Prerequisites The following is required to attend this course: + Introductory-level network security experience + Basic understanding of core network security and firewall concepts Who Should Attend This introductory-level course is intended for anyone who is responsible for the day-to-day administration and management of a FortiGate unit. Certification This course helps to prepare students for the following certification exams: + Fortinet Certified Network Security Associate (FCNSA) + Forlinet Certified Network Security Professional (FCNSP) 1g Course Administration, Content Inspection and Basic VPN Access is available as a 2-day instructor-led course (public ciass or private on-site session) or as a self-paced training course. If you are taking this training as self-paced, the following are required to perform the hands-on exercises included in this Student Manual + APC orlaptop running Microsoft Windows 2000/KP/2003/Vista. The PC or laptop used for the exercises in the Student Manual requires a serial port to Cconnect the FortiGate unit to the computer. f your computer does not include a serial port, a USB fo Serial adaptor can be purchased from your local computer supply store. + A FortiGate unit. This course is designed to be used with a Small Office/Home Office (SOHO) level FortiGate model (FortiGate 100A or lower) The FortiGate must be running FortiOS version 4.0 of the firmware. + Internet connection. An internet connection is required, + A FortiGuard Subscription Services license. Each new FortiGate unit comes with a free 30-day license to access FortiGuard Subscriptions Service Updates. If you are beyond the inital 30-day trial time limit, a license to access FortiGuard Subscriptions Services is required to complete some of the exercises in the course, + Remote access to the FortiAnalyzer component at: het //209.87.230.134/login Course Evaluation (for Self-Paced Training Students) Once you have completed this training, please complete the course survey. Your comments will help to guide development of future versions of this course. To ‘access the survey, ype the following URL in your web browser: http: //cam Click Stucient Survey. aining. fortinet .com RATINET. FE Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (0t-4000-0201-20090501 3 Course Objectives SATINET. F: Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 4 (07-4000-0201-20090501 LESSON 1 Overview and System Setup Unitied Threat Management Lesson 1 Overview and System Setup Unified Threat Management Maintaining a secure network environment using existing network security technologies is a significant challenge due to a number of reasons: + Increasingly sophisticated and rapidly evolving cyber threats evade one or more standalone security technologies, + The costs and complexities associated with managing an increasingly at Feewat ‘Unestod network Trusted corporate network ‘The area situated between the Internet and a trusted intornal network is often roforred to as a demitiarizod zone (DMZ) or perimeter network. Normally, this is where firewalls are positioned but some larger organizations may also place firewalls beiween diferent parts oftheir own network thal require different levels of security Firewalls control the flow of traffic between two or more networks, allowing good information through but blocking intrusions, unauthorized users, or malicious trafic from accessing a network. As network traffic passes through the firewall, the firewal either allows or denies passage based on a set rules configured on the device. The rules may be defined by the firewall administrator or the default rules may apply. For example, a firewall might permit all trafic of @ specified type (such as HTTP) and deny all other services or requests. Or, it might be configured to deny all traffic types except incoming (also referred to as ingress) trafic from a specifiog network adutess or address range, Firewalls can enforce an organization's security policies by fitering outgoing (also referred to as egress) traffic to ensure that it complies with usage policies. Incoming traffic is similarly inspected and matched against the frewall’s policies to allow or deny access, to apply advanced filtering ‘options and other security settings configured in the policy. In basic terms, a firewall's main function is to keep information from leaking out {for example, conficential business information) and leaking in (for example, viruses, spyware, or spam) Depending on the sophistication of the firewall, it can provide rudimentary or advanced protection. Course 207-74.0 Administration, Cantent inspection and Basic VPN Access 01-4000-0201-20090504 Firewall Basics Entry-level software firewalls for personal computers are widely available or even builtin to the operating system to protect an individual computer when it accesses an external network, Firewalls designed for businesses can be more extensively customized in various ways, They can perform more involved operations, such as filtering spam and spyware, preventing intrusions into the network and allowing administrators to monitor traffic. High-end enterprise products can also create virtual private networks, allow management for multiple firewalls, support sophisticated authentication or access management systems, and allow for load balancing and failover. ‘Some common firewall features include: + Blocking unwanted incoming traffic based on source or destination IP addresses, + Blocking outgoing network traffic based on source or destination IP addresses. This can be an advantage for organizations who, for example, may want to prevent employees from accessing inappropriate Web sites from workplace computers. ‘+ Blocking network traffic based on content. For example, the firewall can screen network traffic for unacceptable content such as files that contain viruses or unacceptable spam email + Allowing connections to an internal network. For example, telecommuters and traveling salespeople can use @ VPN fo connect to the corporate network + Reporting on network traffic and firewall activities. Administrators might use this reporting information to know what the firewall is Going, who tried to break into the network, who tried to access inappropriate material on the Intemet and so forth + Performing authentication to verify the identity of the users or processes. By authenticating users, the firewall has adltional information it can work with to filter packets. Identifying the user can allow the firewall to allow the user to access some services but not others Course 201-v4.0 Administration, Content Inspection end Basic VPN Access 07-4000-0201-20090501 3 Firewall Basics RTINET. FE: Types of Firewalls Packet Firewalls fall into different categories including, + Packet filter firewall + Slateful firewall + Application layer (or proxy-based) firewall Iter Firewall Data that is transmitted across a TCP/IP network is broken down into small chunks called packets. Packet filter firewalls act by inspecting incoming and outgoing packets. If a packet matches the packet file's set of rules, the desired action is taken. For example, the packet fiter may allow the packet, drop (silently discard) the packet or reject it (with an error response). The packets are filtered based only on information contained in the packet headers for example, the source and destination IP address, port number and protocol. No connection state information is maintained with this type of packet filtering, Stateful Firewall A stateful firewall is a form of packet filering that does more than just examine the headers of a packet to determine source and destination information. tt also looks at the contents of the packet to determine what the state is of each connection that is created and holds attributes of each connection in a state table in memory, from the start to the end of the connection. These attributes may include details such as the IP addresses and ports involved in the connection and the sequence numbers of the packets passing through the connection, When a packet is received by the firewall, it wll compare the information reported in the packet header with the state of its associated session stored in memory in the state table. Ifthe information matches what is in memory, the packets allowed ta pass the firewall. Ifthe two do not match, the packet is dropped. When siateful filtering is used, packets are only forwarded if they belong to 2 connection that has already been established and is being tracked in a state table. Since more intensive checking is performad at the time of setup of the connection, all packets for that session that are delivered after the initial setup are processed Quickly since they belong to an existing pre-screened session. Once the session has ended, its entry in the state table is discarded and the ports closed off until a connection to the specific port is requested. This allows an added layer of protection from the threat of port scanning, Stateful firewalls provide added efficiency in terms of packet inspection since they only need to check the state table, instead of checking the packet against the firewal's established rule set each time 2 packet is received (Course 201-v4.0 Administration, Content inspection and Basic VPN Access 97-4000-0201-20080501 FirewellBasies Application Layer (or Proxy-Based) Firewall ‘Some firewalls can serve proxy server functions, modifying trafic as it passes through the gateway. A proxy stands between the protected and unprotected network; all external connections leading into the proxy terminate at the proxy. This effectively eliminates IP routing between the networks. The proxy repackages the messages into new packets that are allowed into the internal network. The proxy also terminates internal traffic that is headed out to the Intemet and repackages it in a new packet with the source IP address of the proxy, not the intemal host. In the case of a proxy firewall, trafic never flows directly between the networks, Instead, the proxy repackages requests and responses, No intemal host is directly accessible from the external network and no external hostis directly accessible by an internal host. With a proxy firewall, the firewall is the endpoint of the incoming and outgoing connection. Proxy-based firewalls work at the application layer of the TCP/IP protocol stack inspecting the contents of the traffic, blocking inappropriate content, such as certain web sites, viruses, attempts to exploit client software vulnerabilities, and 0 forth, as dictated by its rule set. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 91-4000.0201-20090505 18 Firewall Basics Network Address Translation Network address translation (NAT) is a method of mapping one or more private, reserved IP addresses to one or more public IP addresses. Typically, the NAT device has a public IP address that can be seen by external hosts. Computers on the local network use a completely different set of IP addresses. When traffic goes ut, the intemal IP address is removed and replaced with the public IP address of the NAT device. When replies come back to the NAT device, it determines which internal computer the response belongs to and routes it to its proper destination Using NAT allows a network to maintain public IP addresses separately from private IP addresses and allows a single device to act as an agent belween a Public network and a private network, Using NAT conserves IP addresses since a single unique IP address can be used to represent an entire group of computers, using a specific block of IP addresses that are never recognized or routed on the Internet. As a result, organizations can use their own internal IP addressing schemes, with a single IP address provided by their Service Provider. NAT provides additional security on the network by effectively hiding the entire internal network to the outside world by using only one address for the entire network Dynamic NAT Dynamic NAT is one form of NAT in which a private IP address is mapped to a public IP address drawn from a pool of registered public IP addresses. Typically, the NAT device will maintain a table of registered IP addresses. When a private IP address requests access to the Internet, the device will choose an IP address from the table that is not being used at the time by another private IP adcress. Dynamic NAT helps to secure a network as it masks the internal configuration of a private network and makes it cifficult for someone outside the network to monitor individual usage pattems. Another advantage of dynamic NAT is that it allows @ private network to use private IP addresses that are invalid on the Internet but useful as internal addresses, This method of mapping an unregistered IP address to a registered IP address on a one-to-one basis is particularly useful when a device needs to be accessible from outside the network, Static NAT Static NAT is a type of NAT in which a private IP address is mapped to a public, static IP address, where the public address is aways the same IP addrass. This allows an internal host, such as a Web server, to have an unregistered (private) IP address and still be reachable over the Internet Fe ATINET. ‘Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20080501 FortiGate FortiGate Capabilities FortiGate devices include a comprehensive array of security and networking capabilities, UTM Features Antivirus The FortiGate uses a combination of techniques to provide real-time protection against virus attacks, worms and spyware. These techniques include signature blocking, fle recognition, heuristics, IP address checks, and URL checks and more. Antispam ‘The FortiGate unit delivers reliable and high performance features to detect, tag, {quatantine, and block spam messages and their malicious attachments, including IP address checks, checksum checks, banned word check, black/white lst, DNSBL, ORDBL, and more. Web Filtering The FortiGate uni, in conjunction with the FortiGuard Web Filtering Service offers 2 solution to control access to inappropriate web sites that may expose businesses to potently liable material, jeopardize network security and consume valuable bandwidth. The FortiGuard Web filtering database is @ URL database with over 60 million rated web sites and 76 categories. Intrusion Protection The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions. An organization can create custom signatures to customize the ForiiGate units intrusion Protection System for diverse network environments. “The FortiGate Intrusion Protection System matches network traffic against pattems contained in attack signatures. Attack signatures reliably protect the network from known attacks. Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats and the development of new altack signatures. Application Control ‘The Application Control feature lets you detect and take actions on network trafic based on the applications generating the trafic, for instance, Instant Messaging (IM), Peer-to-Peer (P2P), and VoIP. Based on FortiGate Intrusion Protection protocol decoders, application conttol is a more user-friendly and powerful way to Use Intrusion Protection features to fog and manage the behavior of application trafic passing through the FortiGate unit. Course 201-74.0 Administration, Content inspection and Basie VPN Access (01-4000-0201-20090501 FortiGate “RATINET. FE: "7 FortiGate Data Leak Prevention Data Leak Prevention (DLP) protects sensitive information from being transmitted ‘over web, email, or file transfer protocols. You define rules and compound rules to detect possible data leaks and specify the action to take in response, Rules and ‘compound rules are combined into DLP Sensors which you can enable in firewall protection profiles. Actions in response to detect data leakage include: + Log leakage + Block sending of the data + Content archiving + Ban user from using this protocol. The user is added to the Banned User List Firewall ‘A FortiGate unit uses firewall policies to dictate whether traffic will be allowed or denied access to the network. Traffic will not be able to pass through the ForliGate unit unless it matches the policy rules exactly. The FortiGate unit uses protection profiles to dictate which type of content inspection will be performed on traffic passing though the firewall WAN Optimization ‘The FortiGate WAN optimization can be used to improve performance and security across a WAN by applying a number of related techniques, including protocol and application-based data compression and optimization data deduction {a technique that reduces how often the same data is transmitted across the WAN), web caching, secure tunneling, and SSL accsleration. Endpoint Compliance Endpoint compliance, also called endpoint control, lets you enforce the use of FortiGiient End Point Security in your network and ensure that clients have both ‘the most recent version of the FortiClient sofiware and the most up-to-date antivirus signatures. The FortiGate unit retrieves FortiClient software and anitivirus updates from FortiGuard. If the FortiGate unit contains a hard disk drive, these files are cached to more efficiently serve downloads to multiple end points. The endpoint compliance feature also provides monitoring. The FortiGate unit gathers information from client computers when they use a firewall policy with the Enable Endpoint Compliance Check option enabled. Virtual Domains Virtual domains (VDOMs) enable a FortiGate unit to function as multiple independent units. A single FortiGate unit can then be flexible enough to serve multiple departments of an organization, separate organizations or be the basis for a service provider's managed security service. VDOMs provide separate security domains that allow separate zones, user authentication, firewall polices, routing, and VPN configurations. Using VDOMs can also simplify administration of complex configurations because administrators do not have to manage as many routes or firewall policies at one time. ‘Course 201-v4,0 Administration, Content inspection and Basic VPN Access 18 194-4000.0201-20080501 FortiGate Traffic Shaping Traffic shaping conttols the bandwidth available and the priority of traffic. processed by a firewall policy. Trafic shaping makes it possible to control which policies have the highest prioty when large amounts of data are moving through the FortiGate device. For example, the polay forthe corporate web server might be given higher priority than the policies for an employee's computers. Secure VPN The built-in SSL VPN capabilities of the FortiGate unit can ensure the confidentiality and integrity of data transmitted over the Internet. The FortiGate unit provides enhanced authentication in addition to encrypting and securing information sent from a web browser to a web server. You can also create completely customizable SSL VPN web portal configurations which have a different “look and feel", as well as different types of web portal functionality, High Availability (HA) FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. FortiGate HA is implemented by configuring two or more FortiGate units to operate as an HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit, processing network traffic and providing normal security services such as firewall, VPN, IPS, virus scanning, web fitering, and spam fitering services. Logging ‘A FortiGate unit provides extensive logging capabilies for traffic, system and network protection functions. Deiailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse. User Authentication ‘A FortiGate unit can control access to network resources by defining lists of authorized users. User authentication can be performed locally on the FortiGate unit, or through the use of extemal authentication servers. Supported external server types for authentication include: RADIUS, LDAP, Active Directory, TACACS+ and digital certificates created using a Public Key Infrasiructure (PKI), Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 FortiGate ‘ATINET. FE FortiGate Unit Description A FortiGate unit, depending on the model, may include some of the following ‘components: cpu Depending on the model of FortiGate, a 300 Mhz to 1.8 Ghz Intel processor is. included in the FortiGate. Some higher-end models may include dual processors, FortiASIC Content Processor This custom-designed processor augments the capabilities of the unit by officading some of the intensive processing activities, such as antivirus scanning, from the CPU. The FortiASIC processing includes an engine for antivirus signature scanning, accelerating cryptographic operations, processing firewall policies and accelerating packing traific for applications such as VoIP and https. DRAM ‘The FortiGate can include from 64MB to 1GB of DRAM. Flash Memory ‘The ForliGate can include from 32MB to 64MB of flash memory to store firmware images on the device. Hard Drive ‘Some higher-end FortiGate devices will include a hard drive that can be used for storing logs, archiving content and quarantines, Network Interface Ports ‘The FortiGate includes a collection of interface connections to connect the device to various networks, such as an internal network, a DMZ network or to a WAN. network. Some high-end enterprise models may include Small Formfactor Pluggable (SFP) and XPF (a 10Gbps version of SFP) network interfaces. Serial Console Port ‘The FortiGate includes a serial console port to allow access to the management ‘computer. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000.0201-20090501 FortiGate USB Port A.USB port is included on the FortiGate for use with any FAT16 formatted USB drive or an external modem. Wireless ‘Some FortiGate devices, such as the FortiWifi 60, are WiFi enabled and will enable wireless connections between host computers and the FortGate unit Modem Some FortiGate models, such as the 60AM include a buill-in modem, Module Slot Bays ‘Some high-end models of FortiGate include slot bays for Advanced Mezzanine Cards (AMC), where the FortiGate is @ blade card that is installed within a chassis, PC Card Slot ‘Some models of FortiGate integrate a PC (also called PCMCIA) card slot for additional expansion using a Type II PC card. L Course 201-u4.0 Administration, Content Inspection and Basle VPN Access r-4000-0201-26090507 2 Fortigate ‘RTINET. F: FortiGate Front View Each model of FortiGate may look different, The example device illustrated below is the FortiGate 518, which is commonly used in classroom configurations. Similar indicators will be available on most ForiiGate units, Gone oe oo @¢ @ Power LED: This indicator will display green when the FortiGate unit is powered on. ‘Status LED: This incicator wil lash green when the FortiGate unt is starting up and wit be off when the FortiGate units running normally, or when the device is shut of The indicator will be red when the modem is in use and connected, ‘Alarm: The Alarm indicator will clsplay red when a major error has occurred and will isplay amber when a minor error has occurred WAN and WAN2 interface LED: There are indicators for each of the WAN interfaces on the FortiGate. The indicator wil display green when the correct cable is n use, and the ‘connected equipment has power. This incioator wil fash green when there is natwork activity on the interface and wil be of whan there Is no ink established on the interface, Internal interface LEDs. There are indicators for each intorna) interface on the FortiGate, The inaicator will display green when the correct cable isn use, and the connected equipment has power. This indicator wil flash green when there is network actvity on the interface and wil be off when there is no link established an the interface. Course 201-¥4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20090501 Fortigato FortiGate Back View ee) @ Each madel of FortiGate may look different. The example device illusirated below Is the FortiGate §18, which is commonly used in classroom configurations. Similar interface connections will be available on most FortiGate units. Power: Pawer adaptor connection ‘Console: This Ru-45 interface connects the FortiGate unit to the management computer Using the supped 08-9 serial cable, USB: These optional USB connections can be used for a serial modem (serial to USB adapter required), oF for USB drives. Internat: Ethemet cables connect the FortiGate unit to computers on an intemal network. internal infeaces ere MDIIMDIX auto-sensing, both straight through and cross-aver cables will work \WAN1 and WAN2: A straight-through Ethornet cable connects the WAN interface to the Internet (public switch, router or modem). The WAN2 connection offers an optional reduneant earnacton to the Internet. Fe-SRTINET. Course 201-v4.0 Administration, Content Inspection and Basle VPN Access 01-40¢0-0201-20090801 23 FortiGate Operating Modes ‘A FortiGate unit can operate in two different modes depending on the configuration of the network and the needs of the organization. NAT/Route Mode NAT/Route mode is the default configuration on the FortiGate unit. In NAT/Route mode, each FortiGate unit is visible to the network that itis connected to. All ofits interfaces are on different subnets. Each interface that is connected to a network ‘must be configured with an IP address that is valid for that network. 102 165,4 99 ” 192,100.33 Routing pices conta tefie bowen nero ie otwcees, puz 1010.10.1 NAT mode patces contol afc between inter anc external neta, ‘An organization would typically use NAT/Route mode when the FortiGate unit is deployed as a gateway belween private and public neiworks. In its default NAT/Route mode configuration, the unit funetions as a firewall Firewall policies contro! communications through the FortiGate unit, No traffic can pass through the FortiGate unit until firewall policies are put in place to allow network traffic to pass. In NAT/Route mode, firewall policies can operate in NAT mode or in Route mode, In NAT made, the FortiGate unit performs network address translation before IP packets are sent to the destination network. In Route mode, no translation takes place. FeSRTINET. Course 201-v4.0 Administration, Content Inspection and Besic VPN Accoss s 0f-4000-0201-20090501 FortiGate KE: Wl c E c Transparent Mode In transparent mode, the FortiGate unit is invisible to the network, All ofits interfaces are on the same subnet. Configure a management IP address so that ‘configuration changes can be made. This type of configuration is used when an organization wishes ta make use of the features of the FortiGate without altering the IP infrastructure of the network. A rs Transparent mode on the FortiGate unit would typically be used on a private network behind an existing firewall or behind a router. In its default Transparent mode configuration, the unit functions as a firewall. No traffic can pass through the FortiGate unit until firewall policies are added. Connect up to four network segments to the FortiGate unit to allow the device to contro! traffic between these network segments. Fe Course 201-4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20080501 25 Devies Administration Device Administration ‘Administration tasks on the FortGate unit can be performed from either a graphical user interface (Web Config) or a command line Interface (CLI). Web Config Web Config can be used to configure most FortiGate settings and to monitor the status of the FortiGate unit using HTTP or a secure HTTPS connection from any computer running a web browser. Sine natin FS ATINET. Course 20-v4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20090501 Device Administration Configuration changes made using Web Contig are effective immediately without resetting the firewall or interrupting service. Once satisfied with a configuration, it can be backed up. The saved configuration can be restored at any time. ‘To connect to the Web Config interface, the following are required: + Acomputer with an Ethernet connection + Asupported web browser such as Microsoft Internet Explorer version 6.0 or higher or Firefox 1.0 oF higher + Ethernet cables (Since internal interfaces are MDU/MOIX auto-sensing, straight-through or crossover cables will work) Web Config consists of a menu and pages, many of which have multiple tabs. When a menu item is selected, such as System, it expands to reveal a submenu, When one of the submenu items is selected, the associated page opens at its first tab. To view a different page, click the tabs along the top of the page. F®sRATINET. Course 201-v4.0 Administration, Content inspection and Basic VN Access 01-4000-0201-20090501 Device Administration SRATINET. F 8 ‘System Dashboard ‘The system dashboard, displayed under System > Status. displays important information about the FortiGate device. A default dashboard displays core details, but you can move elements around on the Status page and click the Add Content link to remove or replace items, Web Config Menu ‘The left-hand navigation menu displayed in Web Config provides access to configuration options for all major features of the FortiGate unit. system Router Firewall um™ VPN User Endpoint Control Log & Report Configure system facilites, such as network interfaces, vitual domains, DHCP services, High Availabilty (HA), system time and set system options Configure FortiGate static and dynamic routing Configure firewall polices and protection profiles that apaly network protection features. Also configure virual IP addresses and IP pools, Configure antivirus protection, the FortiGate Intrusion Protection System (IPS), web filtering, and oma spam filtering. View available dala leak prevention sensors and configure DLP rules. Configure the monitoring aad control of, application traffic, Configure IPSec, SSL, and PPTP viral private networking. Configure user accounts for use wit firewall policies that require user authantication, Also configure external authentication servers such as RADIUS, LDAP, and Windows, ‘Monitor list of known endpoints. Configure Fortilient settings for encpoints. Configure software appiicalion delacton on endpoint. Configure logging and alert email. View log messages and reports Course 207-v4.0 Administration, Content Inspection and Basic VPN Access 07-4000-0201-20080501 Device Administration Status Tab System Information ‘The System Information pane on the Status tab displays information regarding the FortiGate unit, including firmware versions and operating mode. 52 System Information Senet tumber Foveosaea7sis490 an coeration Mode het fchanael view Domain Disbied {Enable} Current parnistratars 2 inetails} License Information The License information pane displays the current status of service contracts, versions of antivirus and IPS definitions, and available services. QiLicense Information Support Contact vad Forti35 4.000 (Expires 2020-05-12) Forsouard Subscriptions sntivrur 0-09-42) ) Extended 2 10.0093 (Updated 2009-08-28) Intrusion Protection Ueenaed (Expires 2010-09-12) 8 TPs Bafintions 2.90623 (Updated 2009-04-20) ‘Wet ikeing Lcensod (Expires 2010-69-31) a anispam LUcensed (Expires 2030-09-14) a 5 Rule Set 4.00000 (Updsted 2009-02-05) spires 2010-12-91) a sis & Ranagemort Service icensee Serves Account ID CLI Console The Status tab displays a CL! Console where you can enter commands through the command line without leaving Web Config, EACLI Console (not connected) SRATINET. F Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 2 Device Administration System Resources ‘The System Resource pane displays the current CPU and memory usage. SuSystem Resources Pu usa Memary Usege 49% Unit Operation ‘The Unit Operation pane displays which interfaces are currently in use, along with links to reboot, restart, and reset the FortiGate device, (eFUnit Operation Foriinaiyzer oa z Lee ee ‘ 2 3 Rabaot @ ShuiDorn Fortitanager Alert Message Console ‘The Alert Message Console displays important system wamings. J) Alert Message Console = 2009-03-03 06:33:21 System restart FicRATINET. Course 201-v4.0 Administration, Contant Inspection and Basic VPN Access 30 (01-4000-0201-20090501 Devies Administration Click Add Content to display the following additional dashboard elements: ‘Top Sessions Displays the IP addresses that have the most sessions open on the FortiGate unit. 2 Top Sessions 13 [ataite Top Viruses Displays the most frequent virus threat detected by the FortiGate unit 1 Top Viruses Top Viruses Since 2009-04-14 14:47:16 46 -ATINET. Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20090501 7] Device Administration Top Attacks Displays the most numerous altacks detected by the FortiGate unit 1 Top Attacks Top Attacks Since Mon Mar 9 10:36 16 Traffic History Displays the trattic on an isolated interface over the last hour, day, and month. [Traffic History face: wank Last 60 Minutes see Ape eee eee eee Ae Last 24 Hours Last 20 Days Fet eae oT bis 15 or Traffic In Trafie out F°SATINET. Course 207-v4.0 Administration, Content Inspection and Basic VPN Access: 32 01-4000-0201-20090501 Statistics ‘The Siatistics pane displays statistics about traffic passing through the FortiGate ‘unit, such as caught viruses and detected spam messages. | Statistics(since 2009-04-28 10:31:16) Content Archive HTTP. 29 URLs visited HTTPS 0 URLe visited Email 0 ernails sent ‘O emails received FIP OURLs visited O files uploaded G files downloaded TH 0 file transfers 0 chat sessions 0 messages Attack Log AY 1 viruses cought IPS 2 attacks detected Spam 0 spams detected Web URLs blacked DLP 1 Data loss detected Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20080501 Device Administration Epetailst [Resasis [Deteils] [Detaiis} [Detail Details] Details] kK Wl c E c F 33 Device Administration kK Ww c E c 4 Online Help Online help can be accessed from anywhere in Web Config by clicking the Online Help icon. Viewing system status ‘The System Siaus page displays by dau when you lng to the we-based manager ‘Soto Sjstem > Status o vew the System Statue page ‘To-ew thi page, Your admin profile must permit read access to system confgurtion. you also have system configuration wnte aneess, you can inocy system infsenaton an Update ForGusrd- AV’ and FomGuard IPS deinftons For intrmtion on arn protie, 268" of Tine System Salus page is customizable. You can select which widgets Io wpa, what tay ae located on the page, an ifthey se minenzed or manenized. Each dioplay has an icon associaed vith tf easy recoglion when mae Select Add Corto to ad any othe widgets not cueaaly shown on the System Status page Any widyols curently onthe System | Status 93g will be grayed out nthe Ade Cortent menu, as you car ory hove ane of each Spiny onthe Optionally select Back to Defau to vestore the Histone System Slaive page configuration Psion your mouse ovr a alsa’ tilebar to ses your avalable apne for that clay. The options sory sightly Som depey to delay Wage THe Shs he mame tne spay Disctosu Select maumnas or meric th cco stony Selecta show an spaced ato data Not callable or al wigate ee Selecta change catngs fc the esol. ettes Selects update the dseiyed wtornston chose Seletto case he stey You wl bo prompted to conn te ation The salable dashvond widgets ae ‘Stas gage a Course 201-v4.0 Administration. Content Inspection and Basic VPN Access (01-4000.0201-20090507 Device Administration Searching Help Itis also possible to search the Help index by clicking the Show Navigation button In the Help window and clicking Soarch, | wma system status a 7 ) } 0 | comes SEE ve | Whsrsem sis [Piste soe | @ ee Bthens Viewing system status “Tho Syst Staus gage dplays by eefot when you og ine he Web based manager Goa Sptern> Sats to wew he Sytem Sites page To view tis page, you admin pole must permit read access to system configuration I you as have system coniguation vate abcess, you can modiy system wormation acd Manually uodsing FortGuerd cet | @srstem network ‘thoy ate located on the page, and ifthey are minimized or maximized. Each display has | Bsystem wrirciess a cori assoctated with it for easy recognition when minimized ie o Soloct Add Contant 10 add any ofthe widgets not curently showm en the System Status [Sonne enemies rpc eeinrrnrepen Gplionaly seit Back. to Default a vesiore the stores System Stats page coniguation Peston your mouse ae a dspays tebe to ee your avaable cplions for that dep The ations vary elghl om deplay to ply. Ssesem ce @svstom Mantenanes | Berouser state | router osname Wine Te Snows tense the splay | rower rarer oles aon Select mime crmiome Aspley | Beever ro sestary Seletio stow anogances teats | Qrircwat Nt avaate or awa, ie en Select range eangs re 6 . e at Select pane We spi tema, io se Select ose Gspay YOuWi oe prometata conte sen. [eet enor : Suet Raise, Course 201-v4.0 Administration, Content Inspection end Basic VPN Agcess (61-4000-0201-20090504 ATINET. Fes Device Administration Topology Viewer ‘The Topology Viewer creates a diagram detailing the connections to the FortiGate. ‘The viewer is only available on FortiGate models 100A and above. Topology iagrams use the FortiGate itself as the centerpoint. All configured address objects can be added as connected networks in the diagrams. This viewer is a good way to see, at @ glance, how the FortiGate is connected. » [ete ATINET. a8 FE Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20090501 Device Administration Command Line Interface (CLI) ‘The FortiGate commang line interface (CLI) can be accessed by connecting @ management computer serial port to the FortiGate serial console connector. Telnet of a secure SSH can also be used to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet, ‘The CLI supports the same configuration and monitoring functionality as the Web Contig interface. In addition, the CLI can be used for advanced configuration ‘options that are not available from the Web Config ‘The following is required to use the CLI: +A computer with an available COM port + Anull modem cable, such as the RJ-45 to DBS serial cable provided with the FortiGate unit, to connect the FortiGate console port to a communications port on the computer + Terminal emulation software such as HyperTerminal for Windows or Teraterm Logging in to the CLI The following settings must be configured in the terminal emulation software to ‘connect to the CLI: Bits per second 9800 Data bits 8 Parity None Stop bits 1 Flow control None ‘The administrator wishing to makes changes to the FortiGate device through the CLI must enter appropriaie login credentials, including a user name and password, The default login name on the FortiGate is admin with a blank password, FGT6083907515488 login: adkin Password: |itoicone’ t |roreossse7siscee # _ ‘The command line prompt changes to the # character once the administrator has completed a successful login. FATINET. L Course 201-v4.0 Administration, Content inspection and Basic VPN Access 0f-4000-0207-20090501 a7 Device Administration CLI Command Structure ‘The structure of the CL! commands allows an administrator to modify any of the settings within the FortiGate from the command line, The command structure includes the following components: + Commands + Objects + Branches + Tables + Parameters ‘Commands ‘Commands are at the top level of the CL! command structure. Once logged in as ‘an administrator, type 2 at the § prompt to view the available commands. CK reno dente te Fer69Ra907515488 # config config object : net get dynaric and system information show Show configuration diagnose diagnose fecility execute execute static commands exit exit CLE FGT6OBI907515488 “RTINET. Course 207-4,0 Administration, Content Inspection and Basic VPN Access 38 (01-4000-0201-20090501 Device Administration The FortiGate CLI uses the following commands: config get show execute diagnose Configures CLI objects, such as the firewall, he router, and antivirus protection. For example: config Displays system status information. cat can also be used within @ contig command to display the settings for hat commend, oF use ge ‘with full path to display the settings for a particular object, For oxamplo: get. hardware status Displays the FortiGate unit configuration. By default, only changos to the default configuration are displayed. Use show f4l2~ cont igurat icn to display the complete configuration, Use show within a config command to cisplay the configuration o that command, For example: show branch Runs static commands to reset the FortiGate unit to factory defaults or to back up or restore FortiGate configuration les. The execute commands. are available only from the rool prompt For example: execute faczoryreset ‘Commands in the diagnose branch are used to debug the operation of the FortiGate unit and to set paramotors for displaying different levels of diagnostic information, For example: diagnose branch FeSRTINET. Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000.0201-2009050% Device Administration Objects The next level of the FortiGate CLI command structure is based on configurable ‘objects, For each of the commands at the top level, there are objects that can be associated with it. To view the object associated with a command, type the command followed by the ? character. In this example, all objects related to the contig command are displayed, Pep Reef 05 & FG160B3907515488 # config antivirus antivirus configuration application application dlp dip lendpoint-control _endpoint-control firewall firewall gui gui imp2p imp2p ips ips log log router: router spanfilter spanfiller systen system user user yon vpn neb-proxy web-proxy webFilter webfilter FGT60B3907515488 # config _ ‘Auto detec 9600641 “ATINET. Course 201-v4.0 Administration, Content inspection and Basic VPN Accass 40 (01-4000-0201-20090501 Device Administration ‘The objects vary depending on the command thet is entered and include the ‘Sends emai to designated recipients when it detects log massages of a Controls connections between interfaces according to policies based on CContris preferences for the web-based manager, CLI console, and Moves packels from one network segment to another towards 2 network Fitors email based on MIME headers, @ banned wordlist. email and IP Configures options related to tho overall operation of the FortiGate uri frewall policies or VPNs. Provides Virtual Private Network acoess through the FortiGate unit following: alertemail detined severity level antivirus ‘Soans services for viruses and grayware, optionally providing quarantine of infected files, firewall IP addresses and lype of service, applies protection profiles oui topoogy viewer impap Controls user access to Internat Messaging and Peer-to-Peer pplcations. ips Configures the intrusion prevention system, log Configures logging, router destination, based on packet headers, spamfilter system Such as interlaces, virtual domains, and administrators. user Authenticates users to ust vpn webfilter Blocks or passes web traffic based on a banned word Ist, filer URLS, and FortiGuard. Web category fllering Objects are containers for more specific lower level items that are each in the form of a table. For example, the firewall object contains tables of addresses, address groups, policies and protection profiles. Entries in the lable can be added, deleted or edited. Table entries consist of keywords that can be set to particular values (or parameters), CRE Note: There may be other CL! objects that ara mode!-speeific and, therefore, only \,55 availabe on contain ForiGate models, Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 FS ATINET. “a Device Administration Branches The next evel of the command structure is the branch. A branch lets you modify objects’ characteristics. The available branches will be different depending on the object you are modifying, When entering a branch for an object, the command prompt changes to identiy the branch. To exit a branch, enter the ena command, In this example, the administrator is editing FortiGate unt interface characteristics. File Ede view Call Transfer Hebb Autodetect —_ S60061K1 Course 201-v4.0 Administration. Content inspection and Basic VPN Access (01-4000-0201-20080501 a2 Device Administration Tables A table is a collection of configurable items available within a branch. An administrator can modify the values within the tables to affect a FortiGate device. In this example, the port table is being edited. When modifying a table, the command prompt changes to identify the table. To exit a table, enter the end command, {there are multiple tables available in @ branch, use the nest command to move to the next table. Fle Ect aw cal Trancer He oe 500 F FGT60B3907515488 # config system interface FGT60B3907515488 {interface} # edit portl new entry ‘portl’ added FG160B3907515488 (portl) # _ cernected 21959 ‘ute derct 96008014 ‘Course 20-v4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20090501 RATINET. FE 43 Device Administration Parameters The final components of the CLI command structure are the parameters. The Parameters are the actual values that are being edited through the CLI, Each table could have a collection of parameters, any of which can be modified through the CLI. The parameters available for modification will be different depending on the table that is being edited. In this example, the parameters for the name of @ vdom (using set -vdom “root”) and the IP address for the vdom (using set. ip 172.20.110.251 285.255.255.0) are being modified in the por table. RATINET. “4 puto cetet S600 661 ‘Once the desired parameters are set, type enc to go back to the table level. Alternately, to configure other parameters, type next to display the next parameter. By default, when you type end or next, the parameters are writen to the configuration file. These changes are not lost should a system reboot occur Modifying the cf-save parameter can change the behavior so that changes are not automatically saved. I this option is used, all changes must be saved manually before exiting the CLI by entering exe cfg save at the root prompt Course 20-v4.0 Administration, Cantent Inspection and Basic VPN Access 01-4000-0201-20090501 Device Administration CLI Basics There are shortcuts and options available to simplify using CLI commands. Command Help + Press the question mark (?) key at the command prompt to cisplay a list of the commands available and a description of each command. + Type a command followed by a space and press the question mark (7) key to display a list of the objects available for that command and @ description of each + Type a commans followed by an object and press the question mark (2) key to display @ list of branches available for that commandiobject combination, along with a description of each option. Command Completion + Use the tab key or the question mark (2) key to complete commands. + Press the tab key at any prompt to scroll through the options available for that prompt. + Type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position. + After completing the first word of a command, press the space bar and then the tab key to scroll through the objects available at the current cursor position, Recalling Commands Recall previously entered commands by using the Up and Down arrow keys to scroll through the commands you previously entered ‘Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 07-4000-0207-20080501 SATINET. F 45 Device Administration F°ATINET. Editing Commands Use the Lett and Right arrow keys to move the cursor back and forth in a recalled command. Use the Backspace and Delete keys and the control keys listed below to edit the command, Function Key combination Beginning of tine CTRL+A, End of line CTRLSE Back one charactor CTRL*B Forward one character TRUE Delete current character CTRL Previous command CTRLP Next command CTRLN Abort the command cTRL+c, {used at the root prompt, to exit the CLI CTRL+C. Line Continuation To break a long command over multiple lines, use a \ character at the end of each line, Command Abbreviation Abbreviate commands, objects, and branches to the smallest number of nan- ambiguous characters, For example, the command get system status canbe abbreviated tog sy st IP Address Formats Enter an IP address and subnet using either dotted decimal or slash-bit format, For example, type either: set ip 192.168.1.1 25: or set ip 192.166.1.1/24 The IP address is displayed in the configuration file in dotted decimal format. See the FortiGate CLI Reference Guide for more details on using the CLI. Course 204-v4.0 Administration, Content Inspection end Basic VPN Access ‘01-4000-0201-20090507 Doviow Administration Administrative Users Administrative users are responsible for the firewall's configuration and operation. The system's factory default configuration has one administrative account called admin. The admin account has full read/write control of the FortiGate configuration. After connecting to Web Config or the CLI, additional administrators can be configured. Once they are added, give administrative users various levels of access to different parts of the FortiGate unit configuration using an access profile. There are wo types of administrative accounts that can be created on a FortiGate device: + System administrator: This account includes the factory default system administrator admin, and any other administrators assigned to the super_admin profile. + Regular administrator: This is an administrator with any access profile other than super_admin. A regular administrator account has access to configuration options as determined by its access profile If virtual domains are enabled, the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. The default admin user cannot be renamed, however, the password can and should be modified for the account immediately after intial login to Web Config or CLI. By default, admin has no password. The maximum password length is 32 characters. Super_admin Access Profile The factory default system administrator account admin uses the access profile called super_admin. This is a special profile which cannot be viewed or changed. It can, however, be assigned to additional administrative users. ‘Any administrator assigned to the super_admin access profile has full access to the FortiGate unit configuration, and in addition, they can: + Enable VOM configuration + Create VDOMs + Configure VDOMs + Assign regular administrators to VDOMs + Configure global options Users assigned to the super_admin profile: + Can delete other users assigned the super_admin profile and/or change the configured authentication method, password, or access profile, only if the other Users are not logged in. + Can delete the default admin account only if another user with the super_adinin profile is logged in and the default admin user is not. SATINET. F: Course 201-v4.0 Administration, Content Inspection and Basic VEN Access 01-4000-0201-20090501 a7 Device Administration Interface Addressing “ATINET. F ‘One of the first tasks in setting up a FortiGate device to operate in the network to configure the network interfaces, The number of physical interfaces on a FortiGate unit varies per model. On the FortiGate 608 for example, there are four interfaces, The interfaces are named internal, dmz, want, and wan2. The Internal interface is also a 6-port integrated ‘switch, but these ports are not individually addressable, ‘The interfaces on a FortiGate unit can support multiple IP addresses, each with independent administrative access settings, for example, HTTPS, ping, and SSH ‘A FortiGate interface can be configured with a static IP address or acquire its IP address from a DHCP or PPPoE server. The FortiGate interfaces can be configured using either Web Config or the CLI command config system interface. (Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20090501 Device Administration Static In Web Config, you can configure a Static IP address on the interface tab in System > Network by selecting Manual in Addressing mode. The IP address and subnet information are entered in the /P/Netmask field. Note that an IP address can only be assigned on the same subnet as the network to which the interface connects. The same is true for any assigned secondary IP addresses. oe enable y | tninanatve dees TIES ea sh Dee de ett iT vale 3500), tes) Inyatermaee’ Bda.0/08 a cerer sion A eeabs aminisoabve acess [MIIPS Ceme cure ssw 0 Drew = Deception (9 Course 201-v4.0 Administation, Content Inspection and! Basic VPN Access ‘91-4000-0201-26090501 49 Device Administration DHCP ‘No configuration information is required for interfaces that are configured to use DHCP. When DHCP is selected, the FortiGate unit automatically broadcasts a DHCP request. The interface is configured with the IP address and optionally the ONS server addresses and default gateway address that the DHCP server provides. | We presy Modem Name tail 0008.0" 238) [aeenve stave gatewar tom server | | aie lenanie Pi Seve Tenable rotted racy Ey nae ‘erntratve acess MTPS ans gure If Retrieve default gateway from server's selected, the gateway (next hop) retrieved by the interface wil be set as the default gateway for the FortiGate device. This will override any other configured default gateways, If Override internal DNS selected, the DNS servers retrieved by the interface will become the FortiGate device's preferred DNS servers. This will override any DNS entries configured in the system. RTINET. F (Course 201-74.0 Administration, Content Inspection and Basic VPN Access 101-4000-0201-26080501 Device Administration PPPoE, Taterfoce > Zone Options | WedPrasy Be lf PPPOE is configured for the Interface, the FortiGate unit automatically broadcasts a PPPoE request. PPPoE requires a username and password. In addition, PPPoE unnumbered configurations require an IP address in the Unnumbered IP field. ifthe ISP has assigned a block of IP addresses, use one of them, Otherwise, this IP address can be the same as another interface or it can be any IP address. att interface ane Imbel (0:00:0.24:9:F6) [hstee defadtaareway tom sever (Seid fara O45 cone Cente eg Sever enable ier wen psy EERO sannisratre dsess EMITS Bemis Bie Tso Dewe Creve sm (lovers deter vate 2500), ere) heater! aiinavatve sans iO Soman ‘alk ‘Scones > Cape = ATINET. F Course 2014.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20090501 31 Device Administration DNS —a Sree Several FortiGate functions use DNS, including alert email and URL blocking. You must specify the IP addresses of the DNS servers to which the FortiGate unit connects. DNS server IP addresses are usually supplied by the ISP. Configure lower-end FortiGate models (100 and lower) to obtain DNS server addresses automatically. To obtain these addresses automatically, at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode FortiGate models 100 and lower can provide DNS Forwarding on their interfaces, Hosts on the attached network use the interface IP address as their DNS server. DNS requests sent to the interface are forwarded to configured DNS server addresses or ones that the FortiGate unit obtained automatically | Zone, Options | Web Proxy | Modem Networking Options DNS Settings Primary ONS Server 65.98.390.83 ondary ONS Servar 65.99.199.68 Local Doman ame Dead Gateway Detection Detection interval (ceconds) Faik-cwar Detection S (ost consecutive pings} ese (Course 201-v4,0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20080501 Device Administration Configuration Backup and Restore ‘An administrator can back up the system configuration, including web content files and spam fitering files, as well as restore the system configuration from previously downloaded backup fies The configuration of the FortiGate unit can be backed up to a few different locations: + The local PC used to manage the FortiGate unit + Amanagement station such as a FortiManager unit or the FortiGuard Management Service + AUSB disk if the FortiGate has @ USB port and a USB disk is connected to it : ‘Bock Resture | Revision Control ses ForlGuard = site Aystam Contiguration (ict Bsckup! N/A) extn reo a | Sack conauraton to estore coiguraton fom: Diveal PC. ForiManager . Use Ok | 2 tacai Pc Forimananer Use ci ener conigeraton le filename Behar ae Passer ea] onen Password | pack ‘Co Restore > | Firmware upgrade Frmiaro updates Wrcugn Foricuardanaise 6 Management sevice ee valable to evorebers Mare fal | > vparede by Fe ie) | io CoE | , | Advenendie aito-ineal Gennes Seb aa) | The backup can be encrypted, To encrypt the backup file, select the encrypt ‘option and enter a password, You will nead this password to restore the file. To backup VPN certificates, encryption must be enabled on the backup file. This ‘encrypt option is not available for backups created using the FortiManager backup option Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (0-4000-0201-20090504 ATINET. E S Device Administration ATINET. F Firmware Upgrades Firmware upgrades can be applied through Web Config, CLI, or automatically through the FortiGuard Management Service. To upgrade the firmware through Web Config or CLI, the firmware file must be ‘obtained from Fortinet Support. The firmware file can be applied from the System Information pane under System > Status, or the Backup & Restore tab under System > Maintenance. System Information Serial Number Poreuesea7s1548% Ustime 0 day(s) 2 hour(s} 17 mints systern Time Tue Mar 3 08:60:51 2009 [Ehanae} Ha Status Standalone [Configare! Host ame Firnware Version operation Made WaT Teronae] Virtual Domain Disabled Enable] Curcent dminstratore 2 fpesailsd opr en | Revision contrat ‘Backup @ Restore Systein Configuration «Last Ssckups AA) Serle ackip - estore oon oo Backsp coniouraton to | Restore caiioureten tom | © Local PE Foruanager US is @ Local ec Forolanage USB Bik | | Deenerpeconrourstion fe Flename: i Passwadd pa | enti Passwort | | (Rastore Firmstors Upgrade frnware undates though Foreouard Anais & Managerant Serves are avaiable to subsenbars. [Mora Info Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20080501 Connecting tothe Commend Line interface (CLI) Lab 1 Initial Setup Tasks In this tab, you will complete the following tasks: + Exercise 1 Connecting to the Command Line interface (CLI) + Exercise 2 Connecting to the FortiGate Web Config + Exercise 3 Configuring Network Connectivity “+ Exercise 4 Exploring the CLI + Exercise 5 Configuring Global System Settings + Exercise 6 Configuring Administrative Users Exercise 1 Connecting to the Command Line Interface (CLI) This exercise details the inital orentation of the CL. When selting up a new FortiGate unit, establishing the connection to the CLI is generally the frst step, ‘even if most of the configuration changes are performod in Web Contig. With the CLI, verily correct administrator access, confirm the installed ForiOS frmware version, and set some basic parameters to permit access to Web Config for the rest ofthe system configuration Access the console command line interface (CL) using the RS-232 serial port on the FortiGate unit. Some models use 2 DB9-F and others use a RJ45-style connector. A serial cable is used to connect the PC to the FortiGate console port. CLI administrative session can also be accessed remotely using SSH, Telnet, or through a Java console applet during a Web Config administrative session ATINET. F: Course 201-v4.0 Administration, Content inspection and Basic VPN Access (0f-4000-0201-20090507 55 Connecting fo the Command Line Interface (CL) Check Device Connections 1. Plug the Internet connection into the wan1 port on the FortiGate unit. Verify that the want LED indicator on the front of the device is green. ‘outined in RFC1818. The want /ntomot subnet is actually 8 private address subnet K Note: in the classroom lab environment, all addresses used are private addresses as ‘and cannot ba used in a real-world situation, 2 Connect the PC's network cable into the internal interface (ports 1 through 6) of the FortiGate unit and make sure the corresponding internal LED indicator is green. ‘The FortiGate units built-in DHCP server will assign addresses to the devices connected to these ports as required, The factory default subnet assignment of 192.168. 1.0124 will be used. CK Note: The interna’ intertace on 2 FortiGate unit is a mult-port switching hub port with KD auio-MDx sonsing so either a steight or cross-over eabie can be used. Log in to the CLI 3. Use @ serial cable to connect the PC serial port to the FortiGate console port that is located on the back of the device. If the PC is not equipped with a serial Port, you can use a USB to serial adapter to connect the PC to the FortiGate device. 4. Start a terminal emulation program on the PC, such as Windows HyperTerminal or ToraTerm. The serial connection settings required are: + 9600 bps + 8bitdata + no parity + 1 stop bit + no flow control 5 At the FortiGate CL! login prompt, log in with username admin (all lowercase) and an empty password, 6 Reset the FortiGate device to factory defaults by typing the following ‘command: When asked to continue, type Y, press enter, and wait for the reset to compiete. 7 Login to the CL! once again and type the following command to display status information about the FortiGate unit: get s: ‘The output displays the FortiGate unit serial number, firmware build, operational mode, and additional settings, em status Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 56 (01-4000-0201-20090507 Connecting to the Command Line interface (CL) & Type the following command to see a full list of accepted keywords: get? Depending on the keyword used with this command, there may be other sub- keywords and additional parameters to enter 9 Press the Up arrow key to redisplay the previous get. system status ‘command and try some of the control key sequences that are summarized below. Previous command Up airow, CTREP Wext command Down arrow, CTRLN Beginning of line CTRLHA End of fine CTRUE Back one word CRU Forward one word CTRL Delete current character CTRL ‘Abort command and exit ranch [OTRL*O CTRL+C is context sensitive and in general, aborts the current command and moves up to the previous command branch level. If you are already at the root branch level, CTRL+C will force a logout of the current session and another login will be requires. 10 Type the following command and press the key 2 or 3 times. execute The command displays the lst of available system utility commands one at a time each time the key is pressed. 11 Type the following command to see the entire list of execute commands: get command, keywords may have sub-keywords or require that additional parameters be entered. The FortiGate CLI is hierarchical and all execute commands can only be invoked when at the top level 12 Enter the following CL! commands and compare the available keywords for each one: config ? show These two commands are closely related, config begins the configuration mode while show displays the configuration The only difference is show ful1-configuration, The default behavior of the show command is to only display the differences from the factory-default configuration. EK Wl c E © (Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 7 Connecting to the Command Line Interface (CLI) F, to complete the command key word, Use this technique when you use the CLI to reduce the number of keystrokes to enter information, CLI commands can be entered in an abbreviated form as long as enough characters are entered to ensure the uniqueness of the command keyword. Parameters, however, must be fully typed out. For example, when specifying the interface name internal, it cannot be abbreviated to int or inter, Note: At the ~-More~ prompt in the CLI, press the spacebar to continue scraling or the [Enter] key to scroll one line ala time. Press q to exit. 14 Enter the CLI command below to display the factory set IP address of the FortiGate's internal interface. interface internal ‘The internal intertace’s IP address is 192.168.1.99. You will use this address later for HTTP administrative access to the FortiGate device. Course 201-¥4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20080501 Connecting tothe FortiGate Web Config Exercise 2 Connecting to the FortiGate Web Config This exercise introduces the FortiGate Web Config. To access Web Config using a standard Web browser, such as Firefox (1.0 or later) or Microsoft Internet Explorer (6.0 or later), enable Cookies and Javascript for proper rendering and display of the graphical user interface. 1). Caution: if you are using your own laptop or PC forthe ‘lowing exercise, make sure (2B. torrecord your orginal PC network settings before proceeding 1. Set the PC IP settings to DHCP. The FortiGate device will assign the PC an address in the range of 192.168.7.110 to 192.168.1.210 2. Verify the PC settings using the /pconfig command from the Windows command prompt. The default gateway corresponds to the Internal Interface IP address of the FortiGate unit (192.168. 1.99) 3. Open a web browser and type the following address to acoess the FortiGate Web Config interface, hetps: //192.168.1.99 ‘Accept the self-signed certificate when the security alert appears. HTTPS is the recommended protocol for administrative access to the FortiGate UTM devices. Other available protocols include SSH, ping, SNMP, HTTP, and Teinet. 4 At the login screen, enter the username of admin (all iowercase), leave the Password blank, and click Login. 5. The first window displayed after a successful login is the System Dashboard Before continuing with the rest of the inital configuration, explore the System Dashboard page and find the following information: Current Firmware Version Date and Time Serial Number Operational Mode Other system details found on the System Dashboard include the current CPU ‘and memory usage, number of active sessions, recent content inspection statistics, administrative users, and FortiGuard Services status. 6 Before proceeding to the next exercise, ensure that the FortiGate unit is running the correct version of FortiOS firmware required for this class (FortiOS. 40). browse to the firmware file available from the Fortinet Support site witha valid service K Note: If you are not running the correct version, click Update for Firmware version and contract FesRATINET. Course 201-r4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20080501 59 Configuring Network Connectivity Exercise 3 Configuring Network Connectivity In this oxercise, the FortiGate unit's want interface settings are configured using ‘one of tne following addressing modes: DHCP, Manual (Static IP), or PPPoE. Complete the steps for the configuration that applies only to your Intemet setup. + Ifyour network setup supports DHCP, complete the section Configuring the want interface using DHCP. + Ifyou are using static IP addresses, complete the section Configuring the want interface using static assignments. + Ifyou setup supports PPPoE, complete the section Configuring the want interface using PPPoE. Configuring the want Interface Using DHCP !Fyour Internet setup (ISP or other) supports DHCP, perform the steps below to configure the want interface. 1. In the Web Contig, go to System > Network. From the Interface tab, click Edit (2 or the want interface. On the Eait interface page, configure the following settings: Addressing mode DHCP Distance: 5 Retrieve default gateway trom sorver: Enable Administrative access HTTPS: Enable Click Apply. 2. Wait a few seconds for the want interface to acquire an address from the ISP's DHCP server before continuing Note: Gontguration changes got saved to the non-vlatle flash memory when ccking KR ork in wed Contig or when nent or enc is entered on the CLI. No explicit save SP command is required For CL coniguraton only, his behavior canbe changed to requte an expt save or to ever afer ast period ian explick save isnot performed config eysten global ve yert=timesut <600> (in seconds, only when cfg-save is revert) 3. After a few seconds, click the Status: link to refresh and view the acquired DHCP address assignment details, Course 201-v4.0 Administration, Content Inspection and Basie VPN Access 60 01-4000-0201-20090501 Configuring Network Connectivity Configuring the want Interface Using Static Assignments I you are using static IP assignments for your Internet setup, complete the steps below for your want network configuration. 1. In Web Contig, go to Sysiem > Network. From the interface tab, click Edit (2 ) for the want interface. On the Edit Interface page, configure the following settings: ‘Addressing mode Manual IPiNotmask Enter the IP address and Netmask (given by a etwork administrator) using the format IPimetmask. For exampla: 192, 168,20.20/255.255.255.0 Administrative access HTTPS: Enable Click Apply. 2. Click the Options tab to open Networking Options. In the Primary DNS Server field, enter the IP address of the DNS Server given by a network administrator. Ifa second DNS server is available, enter its IP address in the Secondary DNS Server field. Click Appy. 3 Goto the Router > Static > Static Route tab to configure a static route entry for the default gateway. Click Create New. The New Static Route window opens. For the want device, set Gateway to the IP address of the default gateway device given by a network administrator. Leave the Destination/IP Mask settings at the default setting 0.0.0.0/0.0.0.0. Click OX. SRATINET. F: Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 61 Configuring Network Connectivity kK Wl c cE c Configuring the want interface using PPPoE. If your intemet setup supports PPPOE, perform the steps below to configure your want interface. 1. In Web Config, go to System > Network. From the Interface tab, click Edit (22 ) for the want interface (On the Eat interface page, configure the following settings: ‘Addressing mode PPPOE Username Enter your username (given to you by your ISP). Password Enter your password (given to you by your 18). Retrieve default gateway from Enable (only if your ISP supports this option) ‘Override intarnal DNS Enable (only f your ISP supports this option) ‘Administrative accoss HTTPS: Enabio Click Apply. 2. Click the Options tab to open Networking Options. In the Primary DNS Server field, enter the IP address of the DNS Server given by a network administrator. Ia second DNS server is available, enter its IP address in the Secondary ONS Server field Click Apply. 3. Go to the Router > Static > Static Route tab to configure a static route entry for the default gateway. Click Create New. The New Static Route window opens, For the want device, set Gateway to the IP address of the default gateway device given by a network administrator. Click OK, Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 0 0%-4900-0201-20090504 CCaniguring Network Connectivity All users, irrespective of the type of addressing used (DHCP, Static, or PPPoE) should continue with the following steps. Viewing System Settings For want 1. From the CLI, type the following commands to view the interface settings for want: JE Note: Depending on how lang it has baen since the last command has been entered in \D the CLI, another og in may be required edit want get end In the displayed output, note the same DHCP parameters that were viewed for the wan1 interface in the previous step, 2. Type the nslookup command to verify the Fortinet web site address so it can be successfully pinged. For example, exec ping 208.70.202.22: Configuring the wan2 Interface To secure the wan? interface from accidental usage, remove the IP address and administratively disable this port. The IP address can only be unset from the CLI 3. Inthe CLI console, enter the commands below to disable and clear the IP address of the wan2 interface: nfig system interface edit wan2 get status down end 4. In Web Config, go to System > Network. From the interface tab, note that the interface list will now display wan2 with an IP address of 0.0.0.0/0.0.0.0 and a disabled siatus icon (red dot with down-arrow). A display refresh may be needed to see the new status information, F®SRATINET. Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20090501 63 Configuring Network Connectivity Viewing the Configuration of the Built-in DHCP Server ‘The FortiGate unit runs a DHGP server configured for the internal interface. 5 Go to System > DHOP. From the Service tab, expand Infernal, then expand Servers, Click the Edit icon and view the settings for internal_dhep_server (pre- defined), CAK Note: the DHOP leases are preserved even when he Foca units bos To ES coat et DHCP teases, enable and thon re-enable the specie DHCP server. Click Cancel to exit wing DHCP Address Leases 6 Click the Address Leases tab and locate the entry for the PC in the displayed list ‘As new PCs are connected to the trusted internal subnet, a list of the DHCP address leases are displayed RATINET. Fo ‘Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 64 01-4000-0201-20090507 Exploringthe CLI Exercise 4 Exploring the CLI In this exercise, you will review the network configuration from the CLI and be introduced to some additional commands. 4 To view the equivalent CL configuration of the FortiGate interfaces, type the following command: show system interface 2. To see verbose settings, type the command: show full-configurat: 3. To view additional parameters for all interfaces, type the command. get system inter Compare the get command output with the output from the chow command, ‘The information from each is similar: get displays all settings and values, while stow gives the syntax for the configuration. The FortiGate CL! is hierarchical, which means that some commands are only applicable at a certain level or context, The next step demonstrates the hierarchy when modifying the want interface to add additional administrative access to assist with troubleshooting during initial deployment. Once the system is operational, ping access may be removed to avoid simple ICMP scans. Note: The 22 command is not adcitive. The existing parameters must be re-entered and the new parameter must be added, 4 Toad SSH access on the wan interface, enter the following CLI commands: fig system interface edit want set allo end 5. Verify the changes by typing the following command, show system i want 6 Display the configuration of the DHCP server that provides IP addresses to the PCs connected to the internal interface with the following commands: show system dhep ver -Of- show full system dhep server get system dhep server SATINET. FE Course 201-74.0 Administration, Content Inspection and Basic VPN Access t-4000-0201-20090501 65 Exploring the CLI 7 Toinspect the DHCP leases in the CL! for the addresses distributed by the intemal interface DHCP server, type: exec dhep Other available DHCP CLI commands are listed below. Please do not run these commands at this time. + To clear all DHCP leases: exec dhcp Lease-clear + To refresh a DHCP lease: exec interface dhcpelient-renew F°ATINET. Course 201-v4.0 Administrtion, Content Inspection and Basic VPN Access 01-4000-0201-20090504 3B Cantiguring Global System Settings Exercise 5 Configuring Global System Settings In this exercise, you will set up the DNS server IP, system time, and a hostname. ‘You will also modify the global settings for administrative time-outs and Web ‘Admin port access, Configuring DNS Settings SOHO models, such as the FortiGate-100A and lower, can be configured to automatically use the acquired DNS server address, as well as perform local DNS forwarding. 1. In Web Config, go to System > Network. On the Options tab, modify the DNS settings: Use the following DNS server address Primary DNS Server: 4.2.2.1 Leave the Secondary ONS Server setting asis Enable DNS forwarding from internal (defaut) Note: For Fortate-200 models an richer, he Primary DNS and Secontary ONS CK server can any be contared analy The faery stele aso rari Imani ONS forwerdrs £5. 22"139.59 and 68.9- 15953 respecte Click Apply. 2 Compare the output for the DNS CLI commands’ ow syetem dns get system ‘The output should correspond to the changes made in Step Configuring Time Settings For logging purposes, as well as to optimize FortiGuard updates, the FortiGate unit will be set to the correct timezone and NTP server synchronization will be enabled. Use a local NTP server or the factory default NTP server (e001 .atp.org) 3. Goto System > Status. On the Status tab, click the Change link for System Time in the System Information pane. In the Time Settings window, set the time zone and enable NTP server synchronization. By default, the pool .ntp. org willbe used. (The NTP server IP address or FQDN can be used.) Enable Automatically adjust clock for daylight savings if required In your area Click OK. 4. Display the current system time from the CLI by typing the following command: ‘Question: How can you set the system time manually? Answer: Type exec time 2 to view the syntax 5. Verify that the date setting is correct by typing the following CLI command Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000.0201-20090501 SATINET. FE or Configuring Global System Settings F°ATINET. Configuring the Hostname Perform the following steps to configure the hostname for the FortiGate unit 6 Goto System > Status. In the System Information pane, click the Chango link for Host Name and change the FortiGate hostname to a name of your choice. Click OK. At the next fogin, the new hostname will appear in the browser title bar, 7 View the CLI equivalent commands forall the system settings configured in the above steps by typing the following command: how system global Configuring Idle Timeout for Web Config For the purpose of avoiding Web Config timeouts during the lab exercises, increase the idle timeout to the maximum value. 8 Go to System > Admin and select the Settings tab. Increase the Idle Timeout parameter listed under Timeout Settings to 480, Leave all other settings unchanged. Click Apply to save the changes Course 201-14.0 Administration, Content inspection and Basic VPN Access (01-4000-0201-20090501 Configuring Administrative Users Exercise 6 Configuring Administrative Users In this exercise, you will configure administrative users with a new administration profile and login. 1 Goto System > Admin. View the current administrator users from the Administrators tab. The factory default Trusted Hosts setting of 0.0.0.0/0, 9.0.0.0/0, 0.0.0.0/0 allows connection from any host address, 2. The factory default password for the admin account is empty. Click Change Password( (3 )so the admin user can access the Edit Password window and set the new password to fortinet, To save the changes, click OK. 3. Log out of Web Contig by clicking the Logout icon or closing the web browser. 4 Log back in to Web Config using the new admin password you just created. 5 To enhance administrative security, create a new administrator account that will be used for day-to-day administration of the FortiGate device and will resitict the source IP connection with Trusted Hosts. Go to System > Admin. From the Administrators tab, click Create Now. Create a new administrator with the following settings: Aaministrator edmint Type Regular Password fortinet Trusted Host #4 192.168 4.0124 Admin Profile super_admin Click OK to save the changes. CK Note: ng requ toe dove areas rete ye rasteg host sting of he eo ‘administrator account. ATINET. | Course 201-v4.0 Administration, Content Inspection and Basie VPN Access 61-4000-0201-20090501 69 Configuring Administrative Users RATINET. a FE 70 6 Go to System > Admin. On the Admin Profile tab, click Create New to create a new access profile with only read-write access to the content inspection functions in the New Admin Profile window. Limiting access only to the areas affecting content inspection helps to eliminate accidental errors that could adversely affect connectivity. Configure the new access profile using the following settings, You will have to expand the sections to access all of the settings, Click OK. ‘menus, and items according to your specific requirements when you click the Customize link al the bottom of the New Admin Profile window. This customizable feature lets you present various graphical user interface configurations to full diferent ‘administrator roles. K Note: You can customize the FortiGate interface to show, hide, and arrange widgets, Course 201-v4.0 Administration, Content Inspection anc Basic VPN Access (01-4000-0201-20080501 Configuring Administrative Users 7 Go to System > Admin, On the Administrators tab, click Create New to create a new administrative account that uses the new content-control access profile Configure the new administrator account using the following settings: admin Regular Password 123456 Trusted Host #1 192.188.1.0124 ‘Admin Profile ‘content-control Glick OK. 8 To view the CLI configuration for Administrative Users and Profiles, type the following commands: tem a how system ac 9 Test the new administrative access login. Log out of the current Web Config session and log in again with the cadmin (password: 123456) ‘Try to access areas which you have set to Read Only. For example, go to ‘System > Network > interface. You will only be able to view data and not edit or save. ofile ‘The Trusted Host setting configured for admin1 and cadmin will only allow access to PCs connected to the internal 192.168. 1.0/24 subnet even if the correct password is entered. SATINET. Fe Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 ” Configuring Administrative Users ‘ATINET. FE: rR Course 20-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-26090501 NING AE LESSON 2 FortiGuard Subscription Services www .fortinet.com FortiGuard Distribution Network Lesson 2 FortiGuard Subscription Services FortiGuard Subscription Services provide continuously updated security solutions to Fortinet security device users, including antivirus, intrusion prevention, web) filtering, and antispam. Subscription services are delivered through the FortiGuard Distribution Network. With the FortiGuard Subscription Services enabled, administrators can ensure that their FortiGate, ForliMail, and FortiClient installations are performing optimally end ate protecting their corporate assets with the latest security technology. FortiGuard Distribution Network ‘The FortiGuard Distribution Network dalivers updates to FortiGate, FortiMall, and FortiClient products from secure, high availablity data centers in locations worldwide. Delivery methods include push, pull, or customized delivery frequency that can be configured based on the requirements of the organization; set it up once and updates arrive automatically. This system ensures that devices are updated to provide high levels of detection for both known and unknown threats. FortiGuard Subscription Services are continuously updated to provide up-to-date protection from new and emerging threats before they can harm corporate resources or infect end-user computing devices, ‘Course 201-v4.0 Administration, Content inspection and Basic VPN Access (01-4000-0201-20090501 ATINET. F:. 75 FortiGuard Distribution Network “RATINET. FE 76 Worldwide coverage of FortiGuard services is provided by FortiGuard Service Points. When a FortiGate unit connects to the FortiGuard Distribution Network, is connecting to the closest FortiGuard Service Point. Fortinet adds new Service Points as required. If the Service Point becomes unreachable for any reason, the FortiGate unit contacts another Service Point and information is available within seconds. 8y default, the FortiGate unit communicates with the Service Point using UDP on port 53, Altemately, the UDP port used for Service Point communication can be switched to port 8888 through Web Config. f you must change the default FortiGuard Service Point hostname, use the system fortiguard hostname CLI ‘command. You cannot change the ForliGuard Service Point hostname in Web Contig Ifthe FortiGate unit is unable to ocnnect to the FortiGuard Distribution Network, ccheck the configuration, For example, routes may need to be added to the FortiGate routing table of the network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet, Course 201-v4.0 Administration, Content inspection and Basic VPN Access ‘01-4000-0201-20090501 FortiGuard Distribution Network Connecting to the FortiGuard Servers ‘The following steps illustrate the process used by the FortiGate unit to locate and connect fo the FortiGuard servers to submit a query. service fortiguard.net FortiGuard Server 1 2, “| mn Z i Ee ie FortiGate e. fortiguard.net. @ The FortiGate unt submits a DNS A Record lookup for = @ The DNS senerretums the IP address for service. fort iquard.net to the FortiGate unit © The FosiGate unit submits an INIT messago, licenso chock and server ist request to the service fortiguard.net server ‘The service. fortiguard.net server atums the service slalus and server list Information to the FortiGate unk. @ The FortiGate unit submits a query to the FortiGuard Server (Tor example, in what calepory is ste. go0q1 =. com) ‘The ForiiGuard Server returns the response tothe query (ior example, wine. google.com is in the Search Engine category) @ {fro response is obtained from the frst sewer within Server in the server ist is contacted, @ The next available FortiGuard server rotums the response to the query. seconds, the next FortiGuard The server list is intially ordered by weight The weight is equal to the time zone difference between the FortiGate unit and the FortiGuard servers multiplied by 10, The top servers on the list have the best round-trip time, All other servers are listed by weight. The server list can be viewed in the CLI using the following ‘command! diag debug rating Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0207-20090501 Fe ATINET. 7 FortiGuard Antivius Service FortiGuard Antivirus Service F°SRATINET. The FortiGuard Antivirus Service keeps ForliGate and FortiClient devices fully up- to-date with the latest antivirus defenses against network-based threats, Updates to the FortiGate device and FortiClient installations are fully automated to ensure protection against the latest content level threats. The FortiGuard Antivirus Service prevents both new and evolving virus, spyware, and malware threats and vulnerabilities from gaining access to your network, applications, or data assets: Fortinet collaborates with the world’s leading threat monitoring organizations to advise and learn of new vulnerability discoveries. The following steps illustrate how new threats and vulnerabilities are addressed through the service: 1. Fortinet engineers identify a new virus threat, 2. An antivirus signature is developed and tested by Fortinet engin 3. The antivirus signature database is uploaded to FortiGuard Distribution Network 4. The FortiGuard Antivirus Service automatically pushes the updaie to FortiGate/FortiClient/FortiMail cevices which are dynamically updated 5. When the cyber attack is launched, the FortiGate/FortiClient/FortiMal units block the attack. Signature updates are continually updated through the FortiGuard Antivirus Service. Lesson 7 of this course will discuss antivirus filtering, ‘Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20090501 FortiGuard intrusion Protection System Service FortiGuard Intrusion Protection System Service The FortiGuard Intrusion Prevention System (IPS) Service arms FortiGate customers with the latest defenses ageinst stealthy, malicious, and suspicious etwork-lovel threats. Fortinet works wth organizations worldwide to isolate the latest application and OS vulnerabilities to prevent both new and yet unknown threats and vulnerabilities from gaining access to network, applications, or data assets. The FortiGuard IPS Service includes a library of over 4000 IPS signatures land the latest anomaly inspection, deep packet inspection, full content inspection, ‘and activity inspection engines. Policies allow full cantrol of all attack detection ‘methods to provide flexibility to the organization. ‘The FortiGuard IPS service also supports behavior-based heuristics adding valuable recognition capabilities beyond simply matching content against known signatures, Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 07-a000-0207-26090501 7 FortiGuard Web Filtering Service FortiGuard Web Fil ering Service Surfing the Internet has become z critical part of conducting business and often a requirement for government and educational institutions. However, inappropriate Intemet usage has led to lower productivity, inappropriate use of company resources, harassment, legal iabiity, and human resource issues. The FortiGuard Web Filtering Service is a hosted service designed to provide Web URL filtering for schools, libraries, government agencies, and enterprise businesses of all sizos, FortiGuard Rating Server ‘The FortiGuard Rating Server is a master ratings database that consists of billions, of web page addresses. The FortiGuard Web Filtering Service can be activated on the FortiGate device to regulate and block access to harmful, inappropriate, and ‘dangerous web sites which may contain phishing attacks and/or malware such as spyware, FortiGuard Web Filtering Service The FortiGuard Web Filtering Service delivers updates through the FortiGuard Distribution Network to regulate web activities to meet different usage polices and compliance requirements. The FortiGuard Web Filtering Service provides policy: based access control for over 75 web content categories, over 60 milion rated ‘web sites, and more than two billian web pages. The FortiGuard Web Filtering Service has been developed to attain CIPA Compliance with HR4S77. The following steps ilustrate how web pages are identified using the ratings database through the FortiGuard Web Filtering Service: 4. Auser requasis access to a web page 2. The requests sent to the web site and a rating request is made simultaneously o the FortiGuard Rating Server. 3. When the rating response is received by the FortiGate unit, itis compared to the policy rules ifthe policy allows the page, the web site response is passed to the requestor. Citherwise, a user-definable blocked message is sent to the requesior and the event is logged in the content filtering log If the rating for the web page is cached in the FortiGate unit, itis immediately compared with the policy for the user. Lesson 9 of this course will discuss web fitering. F:RTINET. Course 201-v4.0 Administration, Content inspection and Basic VPN Access (01-4000-0201-2009050 FortiGuard Antispam Service FortiGuard Antispam Service With the heavy and growing reliance cn email for business communications, the ability to keep email servers running snoothly and spam free is becoming more Ctical than ever. If legitimate email becomes falsely classified as spam it can be ‘equally disastrous for a corporation as critical communications can become impaired. Unsolicited email (spam) has created tremencious pressure on the communication infrastructure, Some se effects include wasteful email server build-out, downtime, unknowing transport of spyware, greyware, intrusions, or even embedded viruses. Fortine's FortiGuard Antispam Service delivers antispam signature updates for FortiGate, FortiMail, and Fortlient customers to help reduce the amount of spam at the network perimeter. To increase detection rates, the FortiGuard Antispam Service deploys dual scan technology to quickly identify, tag, or block obvious spam messages. The FortiGuard Antispam Service uses an IP address blacklist compiled from email captured by spam probes located around the world along with other spam fitering tools. Spam probes are decoy email addresses purposely configured to attract spam and identify known spam sources to create the antispam IP address. list. A dedicated team of engineers and analysts monitor global spam activities, and analyze latest spam techniques to provide comprehensive protection against spams. The FortiGuard Antispam Service is automated by Fortinet to provide constant monitoring and dynamic updates. Antispam Filters ‘The FortiGuard Antispam Service takes a mulii-layer approach and uses a number of filtering techniques to detect and filter spam. Global Filters ‘Through the FortiGuard Distribution Network, the FortiGuard Antispam Service provides two databases, namely ForllP and FortiSig, as global filters. FortlP is a sender IP reputation database while FortiSig is @ spam signature database. These global filters are constantly updated ard enable FortiGate, FortiClient, and FortiMail products fo detect and block the most prevailing spam. Local Filters Various customized spam fiers are provided on the FortiGate, FortiCiient, and FortiMiail devices. These customized fiters range from banned word filters, local white and biack lists of sender email address, and heuristic rules, to highly sophisticated techniques such as Bayesian training in FortiMail, The FortiGuard Antispam Service provides global fillers while the service delivery Units complete the antispam solution with local filters. Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4900-0207-20090501 FATINET. a a1 FortiGuard Antispam Service Spam Filtering Techniques “ATINET. Fe 82 Spam filtering techniques include: + Real-Time Blackhole List (RBL} Support + Open Relay Database Server (ORDB) Support + Black/White List Support + Keyword/Phrase Blocking + IP Address BlacklisvExempt List + DNS Lookup Support + Email Address Lookup Support + MIME Header Checking + Image Spam Protection The following steps illustrate how spam is addressed through the service: 1 Auser received an email ‘The FortiGate or FortiVail unit obtains the SMTP mail server source address ‘and email header, subject. and body of the email is checked for common spam. content 2. The FortiGuard Antispam Service checks the information against the antispam IP address list 3. Ifthe source address matches the list of known spammers, the FortiGuard Antispam Service tags the email or terminates the session according to the ontiguration in ine firewall protaction prot. If the FortiGuard Antispam Service does not find a match, the email is allowed and the mail server sends the email to the recipient, Lesson 8 of this course will discuss spam filtering, Course 207-v4.0 Administration, Content Inspection and Basic VPN Access ‘91-4000-0207-20080501 Enabling FortiGuard Subscriotions Services Enabling FortiGuard Subscriptions Services Licensing Each of the FortiGuard Subscriptions Services comes with a free 30-day trial license. To renew the FortiGuard license after the free trial, contact Fortinet Technical Support. ‘The License Information pane on the Status tab in Web Config displays the status of your FortiGate support contract and FortiGuard subscriptions, The FortiGate unit updates the license information status indicators automatically by connecting to the FortiGuard network FortiGuard subscriptions status indicators are green for OK, rey if the FortiGate unit cannot connect to the FortiGuard natwork, and yellow ifthe license has expired License Information Support Contract Valid Fortis 4.000 (Expres 2008-05-11) FortiGuard Subscriptions antivirus sensed (Expires 2000-03-28) @ AAV Definitions ',00795 (Updated 2008-22-06) [Updatel: Extended sot 9.00004 (Updated 2008 04-22) Intrusion Protection LUcensed (Exwires 2009-03-14) 3 PS Definitions 2.00593 (Updatod 2009-02-08) [lpdate} Web Fikering Licensed (expires 2009-13-13 3 antispam Leensed (Expires 2009-13-13) 2 Ne Rule eot 4.00000 (Updated 2000 02 OF} ndots? Analysis & Management Service Expired [Renee] Servioes acount 10 chan Virtual Domain OOM allowed 1 kK Wl c Ec c F: Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (61-4000-0201-20090501 83 Enabling FortiGuard Subscriptions Services a4 ‘Scheduled Updates ‘To receive scheduled updates to the antivirus and IPS definitions, the FortiGate unit must be able to connect to the FortiGuard Distribution Network using HTTPS con port 443. The schedule options include the ebility to chock for updates to the definitions at the following times: + Once every 4 to 23 hours, Selest the number of hours and minutes between each update request. + Once a day. You can specify the lime of day to check for updates, + Once a week. You can specify the day of the week and the time of day to check {or updates. If your organization provides updates using their own FortiGuard server or if connection to the FortiGuard Distribution Network can not be made, the Use ‘override server address option may be used. When enabled, enter the IP address ‘or domain name of a FortiGuard server. Optionally, this may be the FortiManager IP address if the device is being managed by a FortiManager 3000/3008 and FortiManager Is configured to provide FortiGuard services. Course 201-v4.0 Admnistration, Content Inspection and Basie VPN Access (01-4000-0201-20090501 Enabling FortiGuard Subscriptions Services Push Updates ‘The FortiGuard Distribution Network can push antivirus and IPS updates to FortiGate units to provide the fastest possible response to cntical situations. The FortiGate unit must be registered before it can receive push updates. ‘When a FortiGate unit is configured to allow push updates, it sends @ SETUP, message to the FortiGuard Disiribution Network. The next time new antivirus or IPS definitions are released, the FortiGuard Distribution Network notifies all FortiGate units that are configured for gush updates that a new update is available. Within 60 seconds of receivirg a push notification, the FortiGate unit requests an update from the FortiGuard Distribution Network. When the network configuration permits, configuring push updates is recommended in addition to configuring scheduled updates. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates. Enabling push updates is not recommended as the only method for obtaining updates. The FortiGate unit might not receive the push notification. Also, when the FortiGate unit receives a push notification it makes only one attempt to connect to the ForliGuard Distribution Network and download updates, SATINET. Fe Course 201-4.0 Administration, Content inspection and Basic VPN Access (01-4000-0201-20090601 85 Enabling FortiGuard Subscriptions Services SATINET. Fe ‘The SETUP message that the FortiGate unit sends when you enable push Updates includes the IP address of the FortiGate interiace to which the FortiGuard Distribution Network connects, The interface used for push updates is the interface configured in the default route of the static routing table. ‘The FortiGate unit sends the SETUP message if you change the IP address of this interface manually or if you have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address. The FortiGuard Disiribution Network must be able to connect to this IP address for your FortiGate unit to be able to receive push update messages. If you have redundant connections to the Internet, the FortiGate unit also sends the SETUP message when one Intemet connection goes down an¢ the FortiGate unit fails over to the other internet connection, If your device is operating in Transparent mode and the management IP address is changed, the FortiGate unit also sends the SETUP message to notify the FortiGuard Distribution Network of the address change. Push updates might be unavailable if + The FortiGate unit has not been registered, + There is a NAT device installed between the FortiGate unit and the FortiGuard Distribution Network (see Push Updates Through a NAT Device). + The FortiGate unit connects to the Internet using a proxy server. Ifthe FortiGate unit must connect to the Internet through a proxy server, use the config system autoupdate tunneling command to allow the FortiGate Unit to connect or tunnel to the FortiGuard Distribution Network using the proxy server. Course 201-v4,0 Administration, Content inspection and Basic VPN Access 91-4000-0201-20080501 Enabling FortiGuard Subscriations Services Push Updates Through a NAT Device If the FortiGuard Distribution Network can only connect to the FortiGate unit through @ NAT device. you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration ‘The FortiGate can only receive update messages on UDP port 9443, In the example below, the FortiGate unit is configured to allow push updates. The override push IP address is configured for 172.16.1.1 using UDP port 12443. This tells the FortiGuard Server to send updates to that address and port. Push updates will be sent by the FortiGuard Server to 172.16.1.1 using port 12443 as configured. The NAT device will then map this IP address to 10.10.10.1 port 9443, The update is received by the FortiGate unit Foricate NAT Device Foricuats Sewer Allow Push Update Destination NAT Use Overrise Push IP 172.16..1 7246.1. uc port “2443 Por udp 12885 Maps 10.1010. uop pot 9483 FeSRATINET. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20030507 87 Enabling FortiGuard Subscriptions Services Manual Updates The FortiGuard antivirus and IPS definitions can be updated manually a any time from the License information pane on the Slatus tab in Web Contig, For manual updates, the latest defnition files must be downloaded from Fortinet and copied to the computer used fo connect fo Web Config Manual Updates to Antivirus Definitions The Update link for AV Definitions will allow an administrator to locate the antivirus definition file to be used for the menual update. Click Browse to locate the fle Anti-Virus Definitions Update Update File: Bowe} Gap Gams Manual Updates to Intrusion Protection Definitions ‘The Update link for PS Definitions will allow an adminisirator to locate the IPS definition file to be used for the manual update. Click Browse to locate the file Intrusion Prevention System Definitions Update Update File: | & “OK > veancer F°ATINET. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201.20090501 g Enabling FortiGuard Subscriptions Services Caching Caching is available for web filtering and antispam. Caching is strongly recommended as it improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses a small percentage of the FortiGate system memory. ‘When the cache is full, he least recently used IP address or URL is deleted, A Time To Live (TTL) setting controls the number of seconds to store blocked IP addresses and URLS in the cache before contacting the server again. ees ‘scan use oe a Course 201-v4.0 Administration, Content Inspection and Basic VPN Access ‘91-4000-0201-20090501 39 Enabling FortiGuard Subscriptions Services FortiGuard Web Filtering Categories ‘Web filtering options are enabled through a firewall protection profile. The FortiGuard Web Fillering Service provides a wide range of categories and sub- categories by which web traffic can be filtered. For each category and sub- category of the FortiGuard-rated web sito, the administrator can specify the action required, whether the site is allowed, blocked, logged, or if an override is allowed, Lesson 9 of this course will provide full details on enabling and configuring the web filtering capabilities on the FortiGate unit using protection profiles FoSRTINET. Course 207-¥4.0 Administration, Content Inspection and Basic VPN Access 90 (01-4000-0201-20090501 Enabling FortiGuard Subscriptions Services Soret a8 + a Ce cree a f sess a 3 omen int nant a: 0: “west coer a avr mae aS] Cemenr oo Sacco aoe, oo 6. Rasen ete Pasi ee por ete 1 ee Poe J Se oe. e i ATINET. Course 201-v4.0 Administration, Content inspection and Basic VPIV Access 01-4000-0201-2009050t of Enabling FortiGuard Subscriptions Services Antispam Controls ‘Spam fitering options are enabled through a firewall protection profile. The FortiGuard Antispam Filtering Service provides the ability tofiter email based on a variety of mail types, including IMAP, POP3, and SMTP. ease = eanctm te 5 a he ea Gees Lesson 8 of this course will provide full details on how to enable and configure the spam filtering capabilities on the FertiGate unit “ATINET, Course 207-v4.0 Administration, Content inspection and Basic VPN Access 92 1-4000-0201-20080501 Configuring FortiGuard Subscription Services Using the CLI Configuring FortiGuard Subscription Services Using the CLI ‘The CLI can also be used fo configure communications with the FortiGuard Distribution Network (FDN) for FortiGuard services. By default, FortiGate units connect to the FDN using a set of default connection settings. You can override these settings to use IP addresses and port numbers other than the defaults, For example, ifusing a Fortianager unit with FortiGuard Server capability (FMG3000/B), a local copy of the FortiGuard service updates can be downloaded to the FortiManager unit, then those updates can be redistributed by configuring the syster fortiguard hostname variable to use the IP address on the FortiManagor unt. (This is done automatically when adding a device to FortiManager and enabling the local FortiGuard option), The server. overtide allows you to locally specify the FortiGuard servers. By default the FortiGate contacts the configured hostname to retrieve the server lis. The following CLI command can be used to configure the services: config system fortiguard ‘The variables that can be used with this command include: Variable Description avquery-cache To enable or disable caching of FortiGuard Antivirus query results, avquery-cache-tl To seta time to live (TTL) in seconds for antivius cache entries. auquery-cachecmpercent To setthe maximum memory to be used for FortiGuard Antivirus query caching, uquery-License To display the time interval between license checks for the FortiGuard Antivirus service contract To view the expiration date of the FortiGuard Antivirus service contract. aw mea To set the time limit in seconds for the FortiGuard Antivirus service query timeout, nebfilter-status To enable or disable the use of FortiGuard Web Filtering service. webfilter-cache To enable or disable caching of FortiGuard Web Filtering query results, including category ratings, for URLs webfLlter-eache-ttl To seta time to live (TTL) in seconds for web filtering cache entries, To display the time interval between license checks for the FortiGuard Web Filtering service webEilter-1 contrect. webfilter-expiration To view the expiration date of the FortiGuard Web Filtering service contract. wobfilter-timeout To set the FortiGuard Web Filtering query timeout. FeRTINET. Course 201-v4.0 Administration. Content Inspection and Basic VPN Access 01-4000-0201-20090501 FortiGuard Center FortiGuard Center F®SRATINET. g The FortiGuard Cenier is a compiehensive on-line resource providing a rich seourity knowledge base and technical resources including} + Spyware, virus, intrusion prevention, web content filtering, and antispam attack library + Vulnerability encyclopedia which provides detailed descriptions of popular operating systems and applications + Virus, spyware, spam, and dangerous Web URL Submission Service ‘The Fortinet FortiGuard Center is where to find timely threat and vulnerability information, as well as other online resources provided by Fortinet's Global Threat Response Team. The FortiGuard Center is updated around-the-clock as now information becomes available. The FortiGuard Center is accessed at hitp:/www FortiGuardCenter.com. Course 201-v4.0 Administration, Content inspection and Basie VPN Access 01-4000-0201-20090501 FortiGuard Contor Fe RTINET. enua SERVICES: Cae Dien Course 201-v4.0 Administration, Content inspection and Basic VPN Access 0%-4000-0201-20090501 Fe RTINET. Enabling FortiGuard Services and Updates Lab 2 Fortinet Subscription Services Tasks {mn this fab, you will complete the following tasks: + Exercise 1 Enabling FortiGuard Services and Updates Exercise 1 Enabling FortiGuard Services and Updates In this exercise, you will configure access to the FortiGuard Distribution Network (FON) along with which FortiGuard Services are available based on the FortiGuard subscription entitlement. Note: You can only complete this exercise if the FortiGate unit has already been registered on the Fortinet Support wed site (https://support. foetinet .con)) 1. Log in to Web Config as admin (password: fortinet), 2 Goto System > Maintenance. On the FortiGuard tab, check the details about the FortiGuard licensing entitienent for the FortiGate unit Question: What is the antivirus definition version, expiry, and last update attempt for your FortiGate unit? Ifonly the version field is showing, the FortiGate unit firmware was upgraded recently and there have been no further update attempts. Note: In the ciassroom environment, the FortiGate unit is behind a NAT device. Port CK, exwaraina must be conigured onthe NAT device, otherwise the Push Update feature «will not work. See the on-line help for more information on how to configure Push Updates. 3. On the FortiGuard tab, expand Web Filtering and AntiSpam Options and edit the following FortiGuard services settings: Enable Web Filter enable Enable Cache TTL 4800 seconds (30 minutes) Enable AntiSpam ensble Enable Cache TTL, {800 seconds (1 minutes) Port Selection 53 detauit) Click Test Availabilty to establish connectivity between the FortiGate unit and the FON server. SATINET. FE Course 201-v#.0 Administration, Content Inspection and Basic VPN Access 96 (07-4000-0207-20090501 Enabling FortiGuard Services and Updates ‘The display will update to show the FortiGuard Web Firing and AntiSpam subscription informatio, Ensure thatthe FortiGate unit has a valid subscription before proceeding _p_Nole: By default, ForiGuard uses UDFISS, because this pots almost aways open for \> por ss the ForiGuerd requestteeponse may tigger an aortas the dala encrypted Change lo UDPI866 for ForiGuadcommarcaton and ensure upsteam doves pormt ths va io pase 4 Expand AntiVirus and IPS Options end click Update Now to force the FortiGate unit obiain te latest AV and IPS definitions. This action sends @ request to an FON server. After 3 to 5 minutes, if properly entitled and depending on Internet congestion, tne ForiGate unt wil receive and install updated definitions, Wait afew minutos and click the FortiGuard menu tab again and check forthe new updates. Today's date should eppear next to the Update link for both AV. and IPS Defitions ‘The AV and IPS signature databases can also be updated either individually or together through the CL! using the following commancs: exec update- Update AV engine/defnitions exec update-ips Update IPS engine/defintions exec update-now Update naw 1. Note: Antvius and IP updates can abo be sto be pushed automaticaly tothe HK FortGato unt To alow push updates, expend AniViue an IPS Options and enable > allow Push Update and stn upte schedule equved, for exomplo, every 4 Rous CK Note: Te updatemow tueton ony or updating Anis and IPS definitions and (AS not or upgrading the system frmwarel 5. View the CLI settings by entering the following commands in a CLI session: show syst show system fortial Compare the output with: get system aut get s: Course 201-v4.0 Administration, Content inspection and Basic VPN Acoass 07-4000-0201-20090501 97 Enabling FortiGuard Services end Updates ‘ATINET. F wan AN Note: The defined FortiGuard aulsupdate interval was set to 4 hours through Web Config but the CLI(show syster avtoupdate 2checule) shaws 4:60, This means thatthe additional minutes interval will be randomly picked from 0 to 59 minutes. This helps to spread out the request load on the FortiGuard server, An exact hour and minute interval can be set through the CLI as illustrated in this example: userX # config system autoupdate schedule (schedule) # set time ? hour and minute hh: ndom) (schedule) # set time 4:0 (schedule) # end Verity the change with: show system autoupdate schedule Before proceeding to the next lab, perform a complete backup of the FortiGate configuration. Go to System > Maintenance. On the Backup & Restore tab, click Backup. Save the backup to your PC with the following name: Leb2_fgt_system.conf Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20090501 FORTINET LESSON 3 Logging and Alerts Log Storage Locations Lesson 3 Logging and Alerts Logging is a key element of maintaining a FortiGate unit in a network. Logging allows an administrator to track down end pinpoint problems efficiently by monitoring the many facets of neiwork and Internet traffic. In addition to being able to identify problems, logging lets an administrator monitor normal events, as well as establish network behavior baselines, such as allowed traffic, typical traffic pattems (regular protocols that pass through the network), and traffic volume. This, type of network information can tell an administrator at a glance whether or not the FortiGate device is functioning correctly and can help identify any configuration changes that are necessary for optimal operation, Log Storage Locations ForliGate logs can be stored in various locations depending on the type and ‘frequency of the logs to save. For example, if logging traffic and content, configure the FortiGate device to send logs to the FortiAnalyzer unit. FortiGate logs can be stored in the following locations: + Local hard disk + FortiAnalyzer + System memory + Sysiog + FortiGuard Analysis Service Local Hard Disk Ifthe FortiGate unit has a hard disk, enable logging to the hard disk from the CLL. Al og types are supported when logging to hard disk except for Content logs. Logs stored on the hard disk can also be uploaded to a FortiAnalyzer unit FeATINET. Course 20-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 01 Log Storage Locations FortiAnalyzer ‘A FortiGate device can be configured to send log messages to @ FortiAnalyzer unit. FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools, and data storage. Logging to the FortiAnalyzer unit s enabled in the FortiGate device by either Specifying the FortiAnalyzer device's IP address or enabling Automatic Discovery. With automatic discovery enabled, the ForiGate unit uses HELO packets to locate FortiAnalyzer units that are availaale on the network within the same subnet. Once discovered, the FortiGate unit can automatically enable logging to the ForiiAnalyzer unit and begin sending log data eae) Alert E-mail Event Log Loy Seltbons > omate Loosing Formas nave & aagunert Sarice | aceel] ere The Syslog protocol (UDP port 514) is used by default by the FortiGate unit to transport log messages to the FortAnalyzer unit. TCP port 514 (OFTP) is used to transfer the contentarchive and to remotely view the log files and reports, IF logging data is traversing a public network, an IPSec tunnel can be used to ‘secure the communication between the FortiGate and the ForiAnalyzer devices. The FortiGate unit can sond all log message types, as well as quarantine files, to 2 ForiiAnalyzer unit fr storage. Log les stored on a FortiAnalyzer unit can also be uploaded to an FTP server for archival purposes. RATINET. F (Course 201-74.0 Adiministation, Content inspection and Basic VPN Access 07-4000-0201-2009050 Log Storage Locations System Memory When logging to memory is enabled, recent log entries are stored for most log types except for Traffic and Content, mainly due to their frequency and large file size. When the system has reached its capacity for log messages, the FortiGate Unit overwrites the oldest messages. Ifthe FortiGate unit has a hard disk, the CLI can be used to enable logging to the FortiGate hard disk. Logs stored on the hard disk can also be uploaded to a FortiAnalyzer unt or to an FTP server. Memory logs can be viewed from Log & Report > Log Access or read from the CLI using the command execute display log if tog filter has been defined. Loa.settian) AletE-moll Event Log i Log settings > Remote Loaoing : Tinmare og evel Information > syston ‘Loutevert Memory is volatile, that is, if the FortiGate unit is reset or loses power, log entries captured to memory will be lost. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000.0201-20090501 103 Log Storage Locations F*SsRATINET. 104 Syslog The syslog server isa remote computer running software used to forward log messages in an IP network, Administrators commonly use syslog servers as logging devices because any computer can run sysleg sofware, such as Linux, Unix, and Windows systems, Syslog captures Traffic, Event, VoIP, Antispam, Antivirus, and Attack logs. it does not support Content Archive logs. The content archive is a fie thatis filled locally by the proxy and then copied across to a FortiAnalyzer device. The content archive uses the OFTP (Odette File Transfer) protocol. > Remate Legging > CLMemary Hamer Port S14 enimum laa faved inition elitr local? Clenabto csv Format Dinewer Usually, communication with the syslog server takes place on port 514 but any port number can be used. When logging to a sysiog server, there are two different log file formats available - Comma Separated Values (CSV) or normal. The CSV format contains commas, whereas the normal format contains spaces. Course 201-v4.0 Adrainistration, Content inspection and Basic VPN Access 0%-4000-0207-20090507 Log Storage Locations FortiGuard Analysis Service FortiGuard Analysis Service is a subssription-based service that provides a web- based logging end reporting solution, LoaSetting Alert E-mail EventLag Log settings © Remote Leasing © None Logging to Multiple FortiAnalyzer Units or Syslog Servers FortiGate devices can support up to three Fortinalyzer andlor syslog servers for logging. This allows for load balancing of log trafic in busy network environments. For example, send all Event logs to FortiAnalyzer device-1, all Web filter logs to ForliAnalyzer device-2, and Traflic lags to FortiAnalyzer device-3, Logging to multiple destinations is configured using the CLI. For more information, see the FortiGa'e CLI Reference Guide. Course 201-v4,0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-2009050% 105 Logging Levels RATINET. L 106 Logging Levels All log messages have severity or priority levels. You define at what severity level the FortiGate unit records fogs whan you configure the logging location, All messages at and above the minimum log level selected will be logged, for example, if you select the Error level, the unit logs for Error, Critical, Alert, and Emergency level messages will be logged. > Romete Leasing ¥ © Memory Alert E-mail Minimum log level tfornation © > systea fEmerasncr ler \crsea| lEvor warning INowfeston ) Event too) Log Settings Course 201-v8.0 Administration, Content inspection and Basic VPN Access 07-4000-0207-20090801 Logging Levels Emergency Event logs, specifically administrative events, can generate an emergency severity level. This level indicates the system has become unstable. Alert Atlack logs are the only logs that generate an alert severity level, Ths level indicates that immediate action is required Critical This level is generaied by event, antivius, and spam fiter logs and indicates that functionality is affected. Error This level is generated by event and spam fiter logs and incicates that an error condition exists and functionality could be affected. Warning This level is generated by event and antivirus logs and indicates thal functionality could be affected. Notification This level is generated by traffic and web fier logs and indicates information about normal events Information This level is generated by content archive, event, and spam filer logs and indicates general information about system operations, Debug This level is primarily used as a suppor function on an as- Log Cong. ‘Aer E moll Event ton settings ~ emote Loving > Ci Nemory I > sve Enable the storage location to be used, then set a log severity level from the ‘Minimum log Jove! drop down lst. Depending on the jog location selected, you must configure various other parameters. You will explore these parameters in future lab exercises. ‘Course 201-v4.0 Administration, Content inspaction and Basie VPN Access 01-4000-0201-20090501 Configuring Logging Enabling Log Generation Depending on the information required to log, logging can be enabled in various locations in Web Config: + Protection profile + Event tog + Firewall policy or network interface Protection Profile Content inspection logging is enabled within a protection profile, including Ant virus, Web Filtering, FortiGuard Web Filtering, Spam Fitering, IPS, IMIP2P. and Voi FecRTINET. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 1 Configuring Logoing aoe oerisar es: ede enasienarn 63 characiers) retool Recognition > asics > ies > web eterna > Spam Filterie |} bata oak reveton sn opiestion Control g versed flee / Eels web Fitri Ccomans oe URL Fier Active her ‘Cookie iter ava Applet Fier oniuard web Fitering ating Errors (HTTP ann) Spam Fiterng tea Samm tog ttrsions onticaion Corel ‘on appcation Cone (ta Leak Praventon Senzor a 9 a a o 5 o o a 6 o oOo a Spe RATINET. FE ‘Course 201-v4.0 Administration, Content Inspection and Basic VPN Access m2 01-4000-0201-20080501 Configuring Leaging Event Log FortiGate management, system activity, and VPN event logging are enabled through the Event Log by selecting the various Event Log options. Lou Setting | AlertE-mall Eventioa ee Event Log ews ensbie F systom activity even: a IPsec negotiation e7ent HCP service event a aa dimin event a actuity event Freowall authentication event Patter update overt 99L.VPN user authertieation event SSL VEN administration event agauda SSL VPN session event IP gerver hasten mentor event a (CPU & memory usage (every 5 minutes) If you use the CLI to disable certain event logs for a destination, the Event Log options display check boxes that are grayed out. RATINET. EF Course 201-r4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 Contiguring Logging ATINET. m6 Firewall Policy or Network interface ‘Traffic logging can be enabled per firewall policy or per interface. Logging traffic Per firewall policy is more granuler and bettor suited for troubleshooting, = sarc nr | Elsie ied lal eon Elcuhans beret Pal, 4 - Siem = When traffic logging is enabled on a majority of firewall policies, consideration must be made for the CPU and network utilization of the logging operation. Local hard disk traffic logging on heavily used systems can be CPU intensive and should be avoided whenever possible. Remote devices such as FortiAnalyzer units or SysLog should be used instead. Traffic logging can also be enabled per interface, (Course 201-v4.0 Administration, Content inspection and Basic VPN Access (01-4000-0201-20090501 Viewing Log Files Viewing Log Files ‘The Log Access menu provides individual tabs for viewing log files stored on a Fortinalyzer unit, FortiGuard Analysis Server, memory, and hard disk, if available. Each tab provides options for viewing log messages, such as search and filtering options, including selecting the log type fo view. The columns that appear in the Log Access menu reflect the content found in the log file ‘The top portion of the Log Access page includes navigational features to help move through the log messages and locate specific information, for example, going to the next page, previous page, last, oF first page. A number can also be entered to jump ahead to a parlicular pege of log messages, for example, entering the number 5 displays the fifth page. If the FortiGate unit has a local hard disk that is enabled for logging, another tab for Local Disk is displayed. Bivin (Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0201-20090501 ATINET, 15 Viewing Log Files Log Display Formats Log messages can be viewed in Formatted view or Raw view. Formatted View ‘The formatted view displays log messages in organized columns. In this view, you can customize the column display and filter lag messages, FATINET. 5 16 Course 201-v4.0 Administration, Content inspection and Basic VPN Access 01-4000-0201-20080601 Viewing Log Files You can add or remove the lag information columns you wish to display, for example, Date, Time, and Source, using Column Settings. Coluinn Senings: | valabie elds hw thece elds in hs oder i> 13) ae [Boe fhe | BBype level | User |Oser interface | status ‘Action jo iaeason, Nesseae | [Detailed tnformation | [eeu [Memory | bal | | OK j Gane! Filters allow only the log messages that fit a specified fier criteria to be viewed. For example, to view all log messages for a specific date range, use the Date fier ers | [a | Wiser ireerace See ae i ison ‘emeraerey INoseaue se [cara Fitersy RTINET. Course 201-74.0 Administration, Content inspection and Basic VPN Access (01-4000-0201-20090501 "7 Viewing Log Files ATINET. E 18 Raw View When log messages display in raw view, the log message displays as it would in a regular log fie (Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 101-4000-0201-20090501 Content Archiving Content Archiving ‘The content archive feature lets you store session transaction data on an offline storage device for the following types of network traffic: + HTTP + FIP + NNTP + IM(AIM, ICQ, MSN, Yahoo!) + Email (POP3, IMAP, SMTP) Content archiving is only available when the FortiGate unit is configured to log to a FortiAnalyzer unit. If logging to the FortiGuard Analysis Server, only content ‘summaries of logs are stored. coe Course 201-v4.0 Adminisiration, Content Inspection and Basic VPN Access (67-4000-0205-20090507 19 Content Archiving Enabling Content Archiving Content archiving is enabled through DLP rules. 4 DLP sensor is created using the rule, then applied within a protection profile. Choose to display the content ‘meta-information of the HTTP, HTTPS, FTP, IMAP, POP3, SMTP, and IM traffic on the system dashboard or archive the full content to a FortiAnalyzer device, Enable at least one of the content arotection functions, such as antivirus scanning, web filtering, and spam fitering for the relevant protocol, to use the full content archiving features for that protoco\ To be able to access all content archiving options, you must configure a FortiAnalyzer unit ang enable fogging. SEED Gama «ATINET. Fe Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 120 01-4000-0201-20080501 Content Archiving Viewing Content Archives All archived logs stored on @ ForiiAnalyzer unit or FortiGuard Analysis Server can be viewed from LogaRoport > Content Archive in Web Contig, The FortiGuard Analysis server only stores the conten: summary of logs. To view logs in Raw format, click the Raw link next to the Column Settings ink. se! af Show Al Formate 2] Tiaras sortie 2] eesove Host Hane Farmattad 20 View 30 sporeage 8 1 OW a 3 “Bilin laeammraane 1Eizusise omoree tse sou faves npate-cheernapeccangesesenieesi3tonbenerse FEE Sa St tues amerdusmestnancinamonesyesen an! “RATINET. E Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20090501 12 Alert Email Alert Email The Alert Email feature enables the FortiGate unit to send email notifications to a User's email address upon detection of a message meeting a defined event type or security level, For example, an alert email can be configured to send notifications for crtical events such as an HA member leaving the HA cluster. Configuring Alert Email ‘The FortiGate unit uses the SMTP server name to connect to the mail server. ‘When configuring alert email, configure at least one DNS server. Up to three recipients can be specified per mai’ server and the email body is base64 encoded, top Seng "event be j Alert E-mall | tna om: Send alot ear Di fain veer Te: 5 (-20008 wna) ‘CDinuion etocne 1D Vator a cetced | 1 Frew suercentr tie Durie star neonout CD Larner imenoe emaes Cl cerviuravenehanoes Cy Forssuardicanca ene ero 15 (200 ais | and lr eral for age Based on sven Course 201-v4.0 Administration, Content inspection and Basic VPN Access 122 01-4000-0201-20090501 SNMP ‘SNMP Simple Network Management Protocol /SNMP) enables administrators to manage hardware on a network including serve's, workstations, routers, switches, and other network devices. An SNMP managed network is made up of three main ‘components: managed devices, agents, and SNMP managers. Configure the hrarcware or FortiGate SNMP agent to report system information and to send traps (alarms or event messages) to SNMP managers, An SNMP manager is a computer running an application that can read the incoming traps from the agent and track the information, Using an SNMP manager, access SNMP traps and data from any FortiGate interface configurec for SNMP management access. ‘The FortiGate SNMP implementation is read-only. SNMP v1 and v2c compliant ‘SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps, To monitor ForiGate system information and receive FortiGate traps, compile Fortinet proprietary Management Interface Bases (MIB), as well as Fortinet supported standard MIBs (available from the Fortinet Support site) into an SNMP manager. Configuring SNMP = Syste HA) SNMP vi/ezc | Replacement Messages) Operation ziome SNMP is configured through System > Config in Web Config. On the SNMP vt/v2c tab, enable the SNMP agent oplion and enter information for the following parameters: Description, Location, and Contact. RMP Agent Cenatte Description Location Contact (Greate New) Enable Commvaitos: ome. Queries Te RATINET. F: Course 201-v4.0 Administration, Content inspection and Basic VPN Access 0t-4000-0201-20080801 123 ‘SNMP SNMP Communities You can add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps. SNMP communities can be configured to have different SNMP queries and traps and they can be configured to monitor the FortiGate unit for different sets of SNMP events. You can add up to eight SNIMP managers per community. HR SAME 4/420 Replacement sages Operation [41 ‘ew Sit Cammunity oueres: io 5 cathe Fare z tne ce ee mel | ATINET. Course 201-v4.0 Aatmnistretion, Content inspection and Basic VPN Access t 01-4000-0201-20090501 gS SNMP Configuring an Interface for SNMP Access ‘You must configure one or more interfaces on the FortiGate unit to accept SNMP connections before a remote SNMP manager will be able to connect to the FortiGate agent, SNMP configuration steps include modifying one of the interfaces through Web Config from the System > Network menu and enabling SAMP in the Administrative Access pane. itariace Zone | Options Web Proxy) Modem eae intartace ame intemal (O0:09-0F:266.FE) Lk stat ‘aarossing paletnash: 192.480.1905 2552550 Pig Sevioe Tense Erpit Wen Proxy) Enabte Secondary 1 Adeross Deception (63 haved) dmbistative statue up © ATINET. FE Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (01-4000.0207-20000501 125 ‘SNMP Traps Available The FortiGate agent can send traps to SNMP managers added to SNMP ‘communities. To recsive traps, load and compile the Fortinet 3.0 MIB into the SNMP manager. All{raps include the trap message, as well as the FortiGate unit serial number and hostname. The following is a list cf available traps: + CPU Overusage + Memory Low + Log disk space low + HA cluster status changed + Interface IP changed + Vitus detected + IPS Signature + IPS Anomaly + VPN tunnel up + VPN tunnel down F°SATINET. Course 201-v4.0 Administration, Content inspection and Basic VPN Access 1 01-4000-0201-20090501 & Exploring Web Contig Monitoring Lab 3 Logging and Monitoring Tasks In this teb, you will complete the following tasks + Exercise 1 Exploring Web Contig Monitoring + Exercise 2. Configuring System Event Logging + Exercise 3 Exploring the FortiAnalyzer interiace + Exercise 4 Configuring Email Alerts + Exercise 5 SNMP Set-up (Optional) Exercise 1 Exploring Web Config Monitoring You have already examined the System Information and License Information sections of the System Dashboard. This exercise gives you a brief tour of the status information presented in other ereas of the Dashboard. 1. Log in to Web Config as aclmin. Go to System > Status to view the System Dashboard. ‘There are several areas that provide summary information and clickable icons or links that provide additional information through a pop-up window or a new information window. 2. Locate the System Resources pane on the System Dashboard. Check the CPU Usage and Memory Usage status dials. 3 Hover the mouse pointer over the System Resources title bar and click History. 2 System Resources ‘A pop-up window appears showing a trace of past CPU Usage, Memory Usage, Session, Network Utilization, Virus, and Intrusion History. -ATINET, F= Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 01-4000-0207-20090501 27 Exploring Web Contig Monitoring in the System Resource History graph window, the time interval represented by each horizontal grid square can be selected from the pull-down menu to the right of Time interval. The refresh rate of this window is automatically set to 41120th of the time interval. etresh every 0 FRUta(#} 0 second eer Click Close to retuin to the System > Status tab 4. The Alert Message Console pane displays the five most recent critical system ‘events, such as system restart and firmware upgrade. Hover over the Alert Message Consol title bar and click the History icon to view a pop-up window that displays the entire message list "2009-03-08 09:35:21 System restart 5. Session and content inspection statistics are shown in the Statistics pane Since there will have been ttle or no traffic through the FortiGate unit and no content inspection configured, the Content Archive and Attack Log siatistics, will be uninteresting at this time, -RTINET. FE (Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 128 07-4000-0201-20090501 Exploring Web Config Monitoring The Reset link in the top-right of the Statistics box will clear the current siatistics counts, “Y Statistics (Since 2009-03-09 09:41:15) Content archive HTTP OURLE visited HTTPS OURLs visited Email 0 emails sent B emails received FIP 0 URLs visited [petoits) 8 files uploaded O files downloaded IW 0 file wansters Detatist 0 chat sessions Oo messages Attack Lag AV 0 viruses caught Details IPS O attacks detected Deteils Spam 0 spams detected [De Web 0 URLs blocked DLP 0 Dats loss detected 6 There will already be a number of sessions recorded by the FortiGate unit. The Top Sessions pane is not displayed by default. Add it by clicking Add Content > ‘Top Sessions. Click the Details link to display more information about the sessions. ‘Test the function of the various icons in this screen. There are icons for screen refresh, page forward and back, column display filters, as well as clear session. Question: Can you identify the Web Admin sessions in the Session table display? (Hint: Look for the TCP sessions from the PC IP address to the IP address of the Intemal interface of the FortiGate unit.) Question: For what are the majority of port 53 sessions? (Hint: Remember that FortiGuard Services are enabled.) Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 0t-4000-0201-20090601 FeSATINET. 3 Configuring System Event Logging Exercise 2 Configuring System Event Logging In this exercise. you will configure system event logging, as well as the destination where the FortiGate unit wll senc the log messages. You will enable logging to memory and to the FortiAnalyzer device which will archive the log messages and latar generate reports. If the FortiGate unit has a hard disk, set local log message archiving, 1 Goto Log&Report > Log Conf. From the Log Setting tab, expand Remote Logging and enable FortiAnaiyzer. Apply the following settings: Minimum log level Information Static IP Address, 209.87.230.134 For initial testing purposes, the log level is se tothe Iowest and most verbose level, Information. In eal deployments, the level would more likely be set to Warning or Notification Automatic discovery ofa ForiAnalyzer unit with FortDiscovery Protocol (FDP) is only applicable when the FortiGate unit and the ForiAnalyzer unit are on the same broadeast domain (subnet) This would be arate situation nan actual network but appropriate for a FortiGate 5000 chassis when a Forinalyzer blade is used: 2 While sil onthe Log Settings ‘ab, enable and expand the Memory option and verify that the Minimum log level is set to Information. Click Apply. 3. In the Remote Logging section, click Test Connectivity to register with the FortAnalyzer device. A pop-ue window csplays to indicate a successtul connection and registration recess. “The FortiAnalyzer unit being used is configured to automatically accept and rogistrall now FortiGate device connections. Atemale settings are to register only (and ignore legging messages) or ignore (manual registration. In an actual scenario, there would be addtional configuraton required at the FortAnalyzer end to permit the necessary connection for manual device registration Glick Ctase to exit fom the ForiAnalyzer Connaction Summary window. 4. Onthe Event Log tab click Enable and select all events Click Apply to save the changes. You can display the CLI settings for the logaing destinations with the following Ww commands: c get log filter fc Subsite fort sanalyzer ormemory forthe destination above, Note: There are different logging capabilites, depending on the destination. The keywords may also dife. (Course 201-4.0 Administration, Content inspection and Basic VPN Access 130 91-4000-0201-20080501 Contiguring Systom Event Logging 5 Test the logging setup with some simulated log messages sent to the logging destinations using the follawing CLI commang: diagnose 1 6 Goto Log&Report > Log Accoss. On the Momory tab, select the Log Type pull down menu to view the different log message types. Select each log type one ata time and check the Memory tab for the test messages. RATINET. F<. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access ‘01-4000-0201-20090501 131 Exploring the FortiAnalyzer Interface Exercise 3 Exploring the FortiAnalyzer Interface 132 Connect to the FortiAnalyzer davice Web Config by typing the following address in a web browser: hetp: 7.230.134 Accept the self-signed certificale messages when they are displayed Log in with the username student and the password fortinet. After a successful login, the FortiAnalyzer Dashboard displays. 1420 From the FortiAnalyzer Web Config, go to Log > Browse. On the Log Browser tab, expand No Group and expand the FortiGate device name to verify that log messages are being received by the FortiAnalyzer unit. FortiGate device names are configured as HostName_SerialNumber. Expand a traffic category and the name of the log file will display. Click Display (EA )1o display the og file. ‘The log message view is pre-fo™matted to show selected ites in columns. The messages are color-coded acearding to severity level Explore the log message displey features in the Log Browser. To show the original unformatted log message that was sent by the FortiGate unit, click Raw in the Log Browser window. To change the log type. click the change link to modify the log view selection. Go to Log > Lag Viewer. Click the Historical tab. Select the device name from the Devices drop-clown menu Selert the log type. Click OK. From this window you can specify the number of entries to display on a page, manage column settings, and display information in its original unformatted state. Log out of the FortiAnalyzer device. Course 201-v4.0 Administration, Content Inspection and Basic VPN Accoss (01-4000-0201-20090601 Configuring Email Alerts Exercise 4 Configuring Email Alerts In this exercise. you will configure the =ortiGate unit to send alert mail to a test mail account. This exercise can only be completed if you have an online ‘email account with which you can test. 1. In Web Config on the FortiGate uni. go to Log&Report > Log Config. Select the Alert E-mail tab and use the following settings to complete the Alert E-mail configuration: SMTP server «Your online email account server name or IP> Email from Email to Authentication Sotto anablo if your sorvor requires autherticalion SMTP user Password - Interval Time A minute Send alert mail for the following Inisusion and Virus dotected Glick Apply to save the settings. 2. Click Test Connectivity. Test messazes will be sent to the email account. 3 Open an email client application and confirm that the test messages have been received Atert emails can be sent based on selected event categories or simply on a log message threshold level. If @ threstold level is used, the CLI contains. additional interval hold-off timers for log levels above the selecied threshold level Check the following CLI commands for the Alert E-mail configuration: show system a ertemail show alertemail setting JE Note: he FortGato unit collet more than oe log message before an interval is 25 reached, it combines the messages and sends out one alert ema Course 201-v4.0 Administration, Content Inspection and Basic VPN Access (01-4000-0201-20090501 133 SNMP Set-up (Optional) Exercise 5 SNMP Set-up (Opt ‘You enable SNMPV1 and SNMPv2: on the FortiGate unit to permit monitoring and statistics-gathering by a remote SNMP server. This is not used in the lab scenario but this exercise provides the basic configuration steps for SNMP setup on the FortiGate device. nal) 1 Goto System > Config. On the SNMPV1/2c tab, enable SNMP Agont. Enter a doscription and location, For contact, use your online email address, Click Apply to save the changes. 2. Click Create New to add a new community called 201 training. Accept the default settings and click OK. + SNMP connections can be restricted fo certain IP addresses with the Hosts setting. + Either SNMP v1 or v2c queries and traps can be enabled separately with default or customized ports, + SNIMP trap selection can be selected. 3. Enable SNMP access on the interfaces facing the network management station by typing the following commands in the CLI: nfig system i edit inter! set allowaccess ping Attp htt. end 4. View the CLI configuration for tre SNMP settings: I-configuration) system snmp sysinfo Li-configuration} system snmp community 1 Note that the CPU, memory, and hard-disk trap thresholds can be set in the cur 5 Locate the FortiGate MIB and Trap file and open the MIB fle with a simple text editor to view the contents. AL, Note: The FortiGate MI lis avalabl tom the Fortinet Techricl Support web ste at Beepe: //avepors. Fortinet com. Avegistered log ID is oqied for access Use of a SNMP MIB view application is beyond the scope of this course. ifone: is available and configured, try 19 access the FortiGate unit with SNMP and view some MIB objects. You must enable SNMP administrative access on the FortiGate interface. The following applications can be downloaded for testing purposes: + Gotif(tipsiwmuwtes.org/snnpdipe/getif htm) + Adem SNMP Manager (hlipylivwwadremsofl.com/snmpman) F°SRTINET. Course 201-v4.0 Administration, Content Inspection and Basic VPN Access 134 07-4000-0201-20080501 Fe ATINET. LESSON 4 Firewall Policies Lesson 4 Firewall Policies Firewall policies control al traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a ‘connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet and compares the content to determine if the information contained conforms to a paiicy that is in place. ACCEPT policies accept communication sessions. An accept policy can apply FortiGate features such as virus scanning and authentication to the communication session accepted by the policy. DENY policies deny communication sessions. Firewall Policies can also be used to control connections and traffic beiween FortiGate inierfaces, zones, and VLAN subinterfaces, Overview For a packet to be connected through the FortiGate unit, the source address, destination address, and service of the packet must match a firewall policy. The policy directs the firewall action on the packet. The action can be to allow the ‘connection, deny the connection, require authentication before the connection is allowed, or process the packet as an iFSec, VPN, or SSL packet, Each policy can be configured to route connections or apply Network Address Translation (NAT) to translate source and destination IP addrosece and porte. IP Pools can be used in conjunction with dynamic NAT when the firewall translates source addresses. Policies can also be used to configure Port Address Translation (PAT) through the FortiGate unit, Protection profiles are used with firewall policies to apply citferent proteciion settings for the traffic that is controlled by firewall policies. ‘Traffic logging can be enabled for a firewall policy so the FortiGate unit will iog all connections that use this policy. (Course 201-v4.0 Administation, Content Inspection and Basic VPN Accoss 01-4000-0201-20090501 137 Policy Matching SFATINET, F: 138 Policy Matching When the FortiGate unit receives a connection attempt on an interface, it selects a policy list fo search through for a policy that matches the connection attempt. The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt, ‘The FortiGate unit starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received. The first policy that matches is applied to the connection attempt. Ifno policy matches, the connection is dropped. Arrange policies in te policy list from more specific to more general. For example, the default policy is @ very general policy because it matches all connection attempts. Exceptions to that Policy are added to the policy list above the default policy. No policy below the default policy will ever be matched General policies are policies that can accept connections from multiple source and destination addresses or from address ranges, General policies can also accept connections from multiple service ports or have schedules that mean the policy can be matched over @ wide range of times and dates. Policies that are exceptions to general policies should be added to the policy list above the general policies. For example, a general policy may allow all users on the internal network to access all services on the Intemet. To block access to specific services, such as FTP servers on the Internet, add a policy that denies FTP connections above the general policy. The deny policy blocks FTP connections. Connection attempts {or all othor kinds of servicoe do net match tho FTP poliey but do match the general policy. Therefore, the firewall still accepts all connections from the internal network to the Intemet other than =TP connections, If virtual domains are enabled on tre FortiGate unit, firewall policies are configured separately for each virtual domain, Course 201-v4.0 Administation, Content inspectian and Basic VPN Access 01-4000-0201-20090501 Polley Matching Firewall Policy List ‘The policy list displays delails of policies in place on the FortiGate device. You can add, delete, edit, and re-order policies from the lst Column Settings Some columns of information may not be displayed by default. You can use the Column Sottingo optione to add of romove table columns from the displayed list Select the item to display from the Avaiable fields list and click > to move it to the ‘Show these fields in this order ist. Reorder the items in the Show these fields in this order list by selecting the item and clicking Move Up or Move Down. atm Senge } | Ante: howthese foes inti ove: foo from (GB) jane PA Tanne CS) Sure Seon Betiaten iconmorss ‘Sled ico Sores Sone pre | IP Pool ae [ ove up IC Mowe Gown | (SGancel > ATINET. FE Course 201-v4.0 Administation, Content Inspection and Basic VPN Access 1-4000-0201-20090501 139 Policy Matching ATINET. FE g For example, if the Count field is added to the column settings, the number of packets and bytes that match a firewall policy can be displayed. Ste Bien tering columns: Click the Fitor icon to edit the column fiters which allow the policy list to be fitered 0 sorted according to criteria specified. Tiers are useful for reducing tle wurnien of entries that are displayed on the list. Filters can be added for one column or for ‘multiple columns. Fitter configuration is maintained after leaving Web Config, after logging out of Web Config, or after rebooting the FortiGate unit. ai Fitters Fitters Destination [seus | Enable i> a Few hor Tea ~ Service a ator case ‘aceon [Gear ai Fikes eK (Seance > Different fiter styles are available depending on the type of information displayed in individual columns. In all cases, filers are configured by specifying what to fiter on and whether to display information that matches the fiter or to select NOT to display information that does not match the fiter. Course 201-v4.0 Administation, Content inspection and Basic VPN Access 07-4000-0201-20090501 Policy Matching Moving policies Appolicy can be moved within the list to influence the order in which policies aro evaluated. When more than one policy has been defined for the same interface pair, the policy that is first inthe list is evaluated first Move Policy Policy 10. 1 Move to Before Cater (Policy 10) The ordering of firewall encryption policies is important to ensure that they take: effect as expected: firewall encryption policies must be evaluated before regular firewall policies. Moving a policy in the list does not change its policy ID number. ‘The policy ordering can also be changed using the CLI move command from the Firewall policy table. For example: contig firewall move X before ¥ Fe RATINET. Course 201-¥4.0 Admintstation, Content Inspection and Basic VPN Access 0%-4000-0201-20090501 44 User Authentication 1o Firewall Policies User Authentication to Firewall Policies User authentication can be enabled on a firewall policy so that end users using the firewall policy will be challenged to identify themselves before they can use the policy. Policies that require authentication must be added to the policy list above ‘matching policies that do not; otherwise, the policy that does nat require authentication is selected first, Authentication is available If action is set to Accept or SSL VPN. Add users and a firewall protection profile to a user group before enabling authentication for the policy. In the case of user ID and password authentication, the end users are prompted to input their user name and password. For certificate authentication, you install customized certificates on the ForiiGate unit and end users can also have customized certificates installed on their browsers, Otherwise, the end users will see a warning message and have io accept the default FortiGate certificate which the end users’ web browsers may deem as invalid. Firewall authentication also includes LDAP, RADIUS, Active Directory, and TAGACS+ authentication. To allow the FortiGate unit to authenticate with an Active Directory server using single sign-on, the Fortinet Server Authentication Extensions (FSAE) must be installed on the Active Directory Domain Controller. Once the user authenticates to Windows, they will not have fo perform a second authentication to the firewall policy. Authentication Protocols You can specify the protocol to be used to issue the authentication challenge. The ficewall policy must also include the authentication protocol for Une enid users ty Le able to get authenticated. For exanple, if you are creating a POPS policy and using the HTTP protocol for authentication, the firewall policy services must include at least HTTP and POPS User authentication supporls the fellowing protocols: + HTTP + HTTPS: + Telnet + FIP Lesson 6 of this course will discuss authentication in more detail RATINET. F* Course 201-4.0 Adrinistation, Content Inspection and Basic VPN Access m2 (01-4000-0201-20090501 Creating or Editing Policies Creating or Editing Policies O06 Paley Click Create Nev on the Policy tab or insert Policy before ( “3 } in the policy list to create a new firewall policy. Click Edi (|. ) for an existing firewall policy in the policy ist to edit the policy. The Source and Destination interface/Zone matches the firewall policy with the source and destination interfaces of a communication session. The Source end Destination Address matches the source and destination address of the communication session, ‘Schedule defines when the firewall policy is enabled. Service matches the firewall policy with the service used by a communication session, Action defines how the FortiGate unit processes traffic. Specify an action to accept or deny traffic or configure a firewall encryption policy, Enable the remaining firewall policy options to set additional features. They appear in the New Policy and New Authentication Rule windows. Course 201-v4.0 Administation, Content inspection and Basic VPN Access 01-4000-0201-20000501 reating or Editing Policies Firewall Addresses Firewall addresses are added to the source and destination address fields of firewall policies. Firewall addresses are added to firewall policies to match the source or destination IP addresses of packets that are received by the FortiGate unit, Ces mani P20 1B Enaoe err Bare Pole, Froval Dither Seivettsis)” Cur manent (ltse sutnecaton Comer sieve : - E wine Wl Note: The Comments fields very useful io complete as you can capture c important details about the firewall policy to which you may need to refer. ‘Course 201-v4.0 Adiministation, Contont Inspection and Basic VPN Access 144 01-4000-0205-20090601 Creating or iting Policies Configuring Addresses ‘Addresses can be created or edited from the New Address or Edit Address dialog box (Firewall > Address) or during firewall policy configuration from the Address pull-down list in the firewall policy window (Create New). The FortiGate unit ‘comes configured with the default All address which represents any IP address on the network. This is required in order to reach all addresses on the Internet sie eslatel ceed Type Subnet /1P Range © Subnet /1P Rengjs(0.0.0.6/0.00.0 Incorface any ae. Caan Sinan Address Name ‘A firewall address can be configured with a name, an IP address, and a netmask or aname and IP address range. A single IP address can be added with no mask oF a 32-bit mask (255.255.255.255). The firewall address can also be @ fully - qualified domain name (FQDN). The name assigned to the address will be used foe to identify the address in the firewall policy dialog box. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. Course 201-v4.0 Administation, Content Inspection and Basic VPN Accoss 01-4000-0201-20080501 145 Cresting or Eatting Policies Fe RATINET. 148 Type Addresses can be identified by a Subnet/IP Range or FQDN. ‘Subnet/IP Range Enter the firewall |P address and subnet mask or enter an IP address range separated by a hyphen, ‘The firewall IP address can be + The IP address ofa single computer (for example, 192.45.46.45) + The IP address of a subnetwork (for example, 192.168.1.0 for a class C subnet) ‘An IP Range address represents the range of IP addresses in a subnet, for example, 192.168.20.1 to 192.168,20.10. Enter an IP address and netmask using the following formats: -168.1.0/25: x. x.x. 3/4, for example, 192.168.1.0/24 Hox k/.2.%.%, for example, 19 Enter an IP address range using the following formats: 129 Hom. x ax. x, for example, 192,168,110. 100-192.16 168.119. {100-1201 x.x.%.*, for example, 192. 168.110. * to represent all addresses on the subnet = ix), for example, Course 201-v4.0 Administation, Content inspection and Basic VPN Accoss (01-4000-0201-20000501 Creating or Editing Policies FQDN Ifyou select FQDN as the address Typ, you must enter the fully qualified domain name. adiewss) Group ew address ares Name! 00K a any (lo eae Stee Enter an FQDN using the following formats: shostnane>... C3 7 10.10.10.1 tH fe 17216.4.4 ‘wont IP 92.60.22 ae mae , : | atte ete Original [outst a | Destination Port: 90 | ‘Deaination Port: 60 | NS oe X yo “RTINET, FE Course 201-v4.0 Adninistaion, Content inspection and Basic VPN Accoss 154 01-4000.0201-20090501 Creating or Editing Policies Dynamic IP Pool When NATis enabled in the firewall policy, the option to enable Dynamic IP Poo! becomes available. You enable, then