Vous êtes sur la page 1sur 62

Introduction to Fortinet Unified Threat

Management

Module Objectives
By the end of this module participants will be
able to:
Identify the major features of the FortiGate Unified
Threat Management appliance
Access and use the FortiGate administration interfaces
Create administrators
Configure the FortiGate unit for the lab environment
used to complete the hands-on exercises

Traditional Network Security


Solutions
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall

Traditional Network Security


Solutions

VPN
Intrusion Prevention
Applicationsystems
Control
Many single purpose
Filtering
needed to copeWeb
with
a variety
WAN Optimization
threats
Antispam
Antivirus
Firewall

of

Fortinet Solution
and more
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall

Fortinet Solution

and more
VPN
Intrusion Prevention
Application Control
Web Filtering
One device provides
a
WAN Optimization
comprehensive security
and
Antispam
networking solution
Antivirus
Firewall

Fortinet Solution

Hardware
Purpose-driven hardware

Fortinet Solution

FortiOS
Hardware
Specialized operating system

Fortinet Solution

Firewall

AV

Web
Filter

IPS

FortiOS
Hardware
Security and network-level services

Fortinet Solution
FortiGuard Subscription Services

Firewall

AV

Web
Filter

IPS

FortiOS
Hardware
Automated update service
Click here to read more about the Fortinet solution

Fortinet Solution
Headquarters

Branch office

Home office

Fortinet Solution
Headquarters

Branch office

Home office

Click here to read more about the Fortinet solution

Fortinet Solution
Headquarters

Branch office

FortiGate platform
Management, reporting and
analysis appliances
FortiGuard Subscription Services
Home office

Click here to read more about the Fortinet solution

FortiGate Capabilities

Firewall

FortiGate Capabilities

Antivirus

FortiGate Capabilities

Email filtering

FortiGate Capabilities

Web filtering

FortiGate Capabilities

Intrusion prevention

FortiGate Capabilities

Application control

FortiGate Capabilities

Data leak prevention

FortiGate Capabilities

WAN optimization

FortiGate Capabilities

Secure VPN

FortiGate Capabilities

Wireless

FortiGate Capabilities

Dynamic routing

FortiGate Capabilities

Endpoint compliance

FortiGate Capabilities

Virtual domains

FortiGate Capabilities

Traffic shaping

FortiGate Capabilities

High availability

FortiGate Capabilities

Logging and reporting

FortiGate Capabilities

Authentication

Click here to read more about the capabilities of the FortiGate device

FortiGate Unit Components

Intel CPU

FortiGate Unit Components

FortiASIC content processor

FortiGate Unit Components

FortiOS 4.0

FortiGate Unit Components

DRAM and flash memory

FortiGate Unit Components

Hard disk

FortiGate Unit Components

Interfaces

FortiGate Unit Components

Console port

FortiGate Unit Components

USB port

FortiGate Unit Components

Wireless

Module slot bays

PC card slot

Fortinet Appliances
FortiAnalyzer

FortiBridge

FortiWifi

FortiAP

FortiMail

FortiCarrier

FortiWeb

FortiGate-ONE

FortiManager

FortiDB

FortiSwitch

FortiScan

FortiClient

FortiVoice

FortiGuard Subscription Services

Device Administration

Web Config

Click here to read more about using the CLI

CLI

Administrators

Full access

Read-only access

Customized access

Scope: VDOM or Global

Global Scope Super Admin Profiles

Admin Profiles

Read Read-Write

System Configuration
Network Configuration
Firewall Configuration
UTM Configuration
VPN Configuration
etc

Admin
Profile

Administrators

Full access

Custom access

super-admin
profile

custom
profile

Full access within


a single virtual
domain

prof-admin
profile

Administrator Authentication

Username and Password (one factor)


+
FortiToken (two factor)

Device Configuration

Setting
Setting
Setting
Setting

Setting
Setting
Setting
Setting

*.conf

Device Configuration
Device configuration settings can be
saved to an external file
Optional encryption
The file can be restored to rollback
device to a previous configuration
SCP supported for configuration restore
FortiGate unit acts as SCP server
set admin-scp enable

Example
- Restore from Linux
*.conf
scp <local config filename>
<admin_username>@<FGT
IP_Addr>:fgt-restore-config

Per VDOM Configuration File

Configuration Restore using SCP Protocol


Must rename to sys_config during upload
scp <fgt-upload.conf> admin@192.168.3.254:sys_config

Full configuration file


Includes all VDOMs

DHCP Server IP Reservation

DHCP Server IP Reservation

IP address reserved and always


assigned to the same DHCP host
Select an IP address or choose an existing
DHCP lease to add to the reserved list
Identify the IP address reservation as either
DHCP over Ethernet or DHCP over IPSec

MAC address of the DHCP host is used


to look up the IP address in the IP
reservation table

FortiGate DNS Server


Resolve DNS lookups from an internal network
Methods to set up DNS for each interface:
Relay DNS requests to the DNS servers configured for the
unit
Resolve DNS requests using a FortiGate DNS database
Unresolved DNS requests are dropped

Split DNS configuration


DNS requests can be resolved using a FortiGate DNS
database and any unresolved DNS requests can be relayed
to DNS servers configured for the unit

One DNS database can be shared by all the


FortiGate interfaces
If VDOMs are enabled, a DNS database needs be created in
each VDOM

DNS Server Configuration


DNS zones need to be added when configuring
the DNS database
Each zone has its own domain name

DNS entries are added to each zone


An entry includes a hostname and the IP address it
resolves to
Each entry also specifies the type of DNS entry

IPv4 address (A) or an IPv6 address (AAAA)


name server (NS)
canonical name (CNAME)
mail exchange (MX) name
IPv4 (PTR) or IPv6 (PTR)

DNS Service
Add a new DNS Service to an interface and
select a mode:
Recursive
Non-recursive
Forward to System DNS (forward-only)

CLI equivalent:
config system dns-server
edit wan1
set mode recursive

DNS Zones
Create a new zone (Master)

DNS Zones
Create a new zone (Slave)

DNS Records
Add DNS entries

Classroom Lab Topology

Labs
Lab Virtual Lab Environment Basics
Logging in to the Virtual Lab Environment
Click here for instructions on accessing the virtual lab
environment

Lab - Initial Setup


Exploring the CLI
Accessing Web Config
Configuring Network Interfaces
Configuring the FortiGate DNS Server
Enabling DNS Recursive
Configuring Global System Settings
Configuring Administrative Users
Click here for step-by-step instructions on completing this lab

Student Resources
Click here to view the list of resources used in
this module