FortiGate I Student Guide Forti Gate Online V2

User Manual: Pdf

Open the PDF directly: View PDF PDF.
Page Count: 556 [warning: Documents this large are best viewed by clicking the View PDF Link!]

FortiGate I
Student Guide
for FortiGate 5.4.1
DO NOT REPRINT
© FORTINET
FortiGate I Student Guide
for FortiGate 5.4.1
Last Updated: 4 August 2016
Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or
company names may be trademarks of their respective owners. Copyright © 2002 - 2016 Fortinet, Inc.
All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part
of this publication may be reproduced in any form or by any means or used to make any derivative
such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated
by the United States Copyright Act of 1976.s
DO NOT REPRINT
© FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................5
LAB 1INTRODUCTION TO FORTIGATE .........................................................15
1 Working With the Command Line Interface ........................................................................16
2 Configuration Backups ........................................................................................................18
3 Administrative Accounts ......................................................................................................22
LAB 2LOGGING AND MONITORING ..............................................................25
1 Configuring Logging on FortiGate .......................................................................................27
2 Monitoring Logs Through Alert Email .................................................................................30
3 Viewing Logs in the FortiGate GUI .....................................................................................33
LAB 3FIREWALL POLICIES .........................................................................35
1 Creating Firewall Address Objects and Firewall Policies ...................................................37
2 Reordering Firewall Policies and Firewall Policy Actions ...................................................40
3 Device Identification ............................................................................................................43
4 Policy Lookup ......................................................................................................................48
LAB 4NETWORK ADDRESS TRANSLATION (NAT) .......................................51
1 Access Through VIPs .........................................................................................................53
2 Dynamic NAT with IP pools ................................................................................................57
3 Enabling Central NAT .........................................................................................................60
4 Configuring Central SNAT ..................................................................................................64
5 DNAT and VIPs ...................................................................................................................70
DO NOT REPRINT
© FORTINET
LAB 5FIREWALL AUTHENTICATION .............................................................73
1 Remote Authentication ........................................................................................................75
2 Captive Portal ......................................................................................................................81
LAB 6SSL VPN ........................................................................................85
1 Web-Only SSL VPN ............................................................................................................86
2 SSL VPN Tunnel Mode .......................................................................................................92
LAB 7BASIC IPSEC VPN ...........................................................................95
1 Route-based IPsec VPN .....................................................................................................97
2 Policy-based IPsec VPN .....................................................................................................101
3 Testing and Monitoring the VPN .........................................................................................105
LAB 8EXPLICIT WEB PROXY ......................................................................106
1 Configuring the Explicit Web Proxy ....................................................................................107
2 Using a PAC File .................................................................................................................113
LAB 9ANTIVIRUS .......................................................................................118
1 Proxy-based Antivirus Scanning .........................................................................................120
2 Flow-based Antivirus Scanning ..........................................................................................124
LAB 10WEB FILTERING .............................................................................128
1 FortiGuard Web Filtering.....................................................................................................130
2 Web Filtering Authentication ...............................................................................................137
3 Web Profile Overrides .........................................................................................................140
LAB 11APPLICATION CONTROL .................................................................142
1 Creating an Application Control Profile ...............................................................................144
DO NOT REPRINT
© FORTINET
2 Limiting Traffic Using Traffic Shapers .................................................................................147
3 Configuring CASI ................................................................................................................150
APPENDIX A: ADDITIONAL RESOURCES ........................................................152
APPENDIX B: PRESENTATION SLIDES ............................................................153
1 Introduction to FortiGate .....................................................................................................154
2 Logging and Monitoring ......................................................................................................189
3 Firewall Policies ..................................................................................................................236
4 Network Address Translation (NAT) ...................................................................................271
5 Firewall Authentication ........................................................................................................302
6 SSL VPN .............................................................................................................................349
7 Basic IPsec VPN .................................................................................................................390
8 Explicit Proxy .......................................................................................................................419
9 Antivirus and Conserve Mode .............................................................................................450
10 Web Filtering ......................................................................................................................493
11 Application Control .............................................................................................................535
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 5
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 6
Network Topology
Logging In
1. Run the System Checker. This will fully verify both:
compatibility with the virtual lab environment's software, and
that your computer can connect.
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
eth0
LOCAL-WINDOWS
10.0.1.10
port2
10.200.2.1/24
10.0.1.254/24
port3
REMOTE-FORTIGATE
10.200.3.1/24
port4
REMOTE-WINDOWS
10.0.2.10
10.200.4.1/24
port5
port6
10.0.2.254/24
10.200.2.254
eth2
eth4
10.200.4.254
FortiManager
port1
10.0.1.241
port3
10.200.1.210
port2
10.200.1.241
FortiAnalyzer
port1
10.0.1.210
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 7
Use the URL for your location.
North America/South America:
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
Europe/Middle East/Africa:
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
Asia/Pacific:
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the result messages for the browser and
network checks will each display a check mark icon. Continue to the next step.
If a browser test fails, this will affect your ability to access the virtual lab environment. If a
network test fails, this will affect the usability of the virtual lab environment. For solutions, either
click the Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab. Either:
https://remotelabs.training.fortinet.com/
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 8
https://virtual.mclabs.com/
3. If prompted, select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.
4. Click Enter Lab.
A list of virtual machines that exist in your virtual lab should appear.
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 9
From this page, you can access the console or desktop of any of your virtual devices by either:
clicking on the device’s square, or
selecting System > Open.
5. Click Local-Windows VM to open a desktop connection to that virtual machine.
A new window should open within a few seconds. (Depending on your account’s preferences, the
window may be a Java applet. If that is the case, you may need change browser settings to allow
Java to run on this web site.)
Connections to Windows and Linux machines will use a remote desktop-like GUI. You should
automatically log in. After that, the desktop is displayed.
Connections to Fortinet's VM use the VM console port, which you can use to enter command
line interface (CLI) commands.
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 10
Disconnections/Timeouts
If your computer’s connection with the virtual machine times out or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs
and open the VM again.
If that does not succeed, see Troubleshooting Tips.
Using Java Instead of HTML5
When you open a VM, by default, your browser will use HTML5 to connect to your lab's VM.
Alternatively, you may be able to use Java instead. Your browser will download and use a Java
application to connect to the virtual lab’s VM. Not all browsers support the Java plug-in, so if you want
to use Java, Mozilla Firefox is recommended. This means that Java must be installed, updated, and
enabled in your browser. Once you have done that, in your virtual lab, click the Settings button, and
then select Use Java Client. Click Save & Disconnect, then log in again. (To use this preference,
your browser must allow cookies.)
When connecting to a VM, your browser should then open a display in a new applet window.
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 11
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the HTML 5 client, to configure screen resolution, open the System menu.
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 12
In the Java client, to configure the screen resolution, click the arrow at the top of the window.
International Keyboards
If characters in your language don’t display correctly, keyboard mappings may not be correct.
To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to
display the on-screen keyboard.
Troubleshooting Tips
Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels or other low-
bandwidth or high-latency connections. For best performance, use a stable broadband connection
such as a LAN.
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If you can't connect to a VM, on the VM's icon, click System > Power Cycle. This fixes most
problems by forcing VM startup and connection initiation. If that does not solve the problem, try
System > Revert to Initial State.
Note: Reverting to the VM's initial snapshot will undo all of your work. Try other solutions first.
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 13
If the HTML 5 client does not work, try the Java client instead. Remembering this preference
requires that your browser allows cookies.
Do not disable or block Java applets if you want to use the Java client. Network firewalls can block
Java executables. Not all browsers/systems allow Java. In late 2015, Google Chrome removed
Java compatibility, so it cannot be used with the Java client. On Mac OS X since early 2014, to
improve security, Java has been disabled by default. In your browser, you must allow Java for this
web site. On Windows, if the Java applet is allowed and successfully downloads, but does not
appear to launch, you can open the Java console while troubleshooting. To do this, open the
Control Panel, click Java, and change the Java console setting to be Show console.
Note: JavaScript is not the same as Java.
DO NOT REPRINT
© FORTINET
Virtual Lab Basics
FortiGate I Student Guide 14
Prepare your computer's settings:
o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go to
sleep or hibernate
If during the labs, particularly when reloading configuration files, you see a message similar to the
one shown below, the VM is waiting for a response from the FortiGuard server.
To retry immediately, go to the console and enter the CLI command:
execute update-now
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 15
LAB 1Introduction to FortiGate
This lab provides an introduction to FortiGate's administrative CLI and GUI. Additionally, the lab will
guide you through how to properly backup and restore a configuration file as well as create a new
administrator account and modify administrative access permissions.
Objectives
Access the FortiGate CLI.
Backup and restore configuration files.
Find the FortiGate model and FortiOS firmware build information inside a configuration file.
Create a new administrative user.
Restrict administrative access.
Time to Complete
Estimated: 25 minutes
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 16
1 Working With the Command Line
Interface
You will start by accessing a FortiGate device using the command line interface (CLI.)
Exploring the CLI
The next steps will help you get familiar with the FortiGate CLI.
To explore the CLI
1. In the virtual lab portal, click the Local-FortiGate icon to open the FortiGate console.
(Alternatively, in the dropdown menu below the icon, click System > Open.)
2. At the login prompt, enter the username admin (all lower case) and leave the password blank.
3. Enter the following command:
get system status
This command displays basic status information about the FortiGate. The output includes the
FortiGate's serial number, operation mode, and so on. When the --More--prompt appears in the
CLI, press the spacebar to continue scrolling, press Enter to scroll one line at a time, or press Q to
exit.
4. Enter the following command:
get ?
Note: The ? character is not displayed on the screen.
This command shows all of the options that the CLI will accept after the get command.
Depending on the command, you may need to enter additional words to completely specify a
configuration option.
5. Press the Up Arrow key. This displays the previous get system status command. Try
some of the other control key sequences that shown here:
Action
Command
Previous command
Up Arrow
Next command
Down Arrow
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 17
Beginning of line
CTRL+A
End of line
CTRL+E
Back one word
CTRL+B
Forward one word
CTRL+F
Delete current character
CTRL+D
Clear screen
CTRL+L
Abort command and exit
CTRL+C
6. Enter the command:
execute ?
This lists all options that the CLI will accept next after the execute command.
7. Type exe then press the Tab key.
Notice that the CLI completes the current word.
8. Press the spacebar. After that, press the Tab key three times.
Each time that you press the Tab key, the CLI replaces the second word with the next possible
option for the execute command, in alphabetical order.
Note: Almost all commands can be abbreviated. In presentations and labs, many
of the commands that you see will be in abbreviated form.
Use this technique to reduce the number of keystrokes that are required to enter a
command. In this way, experts can often configure a FortiGate faster through the
CLI than the GUI.
If there are other commands that start with the same characters, your abbreviation
must be long enough to be specific, so that FortiGate can distinguish them.
Otherwise, the CLI will display an error message about ambiguous commands.
9. Enter the following CLI command to check the port3 interface configuration:
show system interface port3
10. Enter this command:
show full-configuration system interface port3
Stop and Think
Compare both outputs. How are they different?
The show full-configuration displays all the configuration settings for the interface.
The show command displays only those whose values are different than the default
values.
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 18
2 Configuration Backups
During this lab exercise you will learn how to generate and restore clear-text and encrypted
configuration backups.
Restoring a Configuration From a Backup
In this procedure you will restore a configuration from a backup.
To restore a configuration from a backup
1. In the virtual lab portal, click the Local-Windows VM icon to open its VM. (Alternatively, in the
dropdown menu below the icon, go to System > Open.)
2. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
Note: All the lab exercises were tested running Mozilla Firefox in Local-Windows VM
and Remote-Windows. As a result, to get consistent results, we recommend using
Firefox to access both the Internet and the FortiGate GUIs in this virtual environment.
3. Go to the Dashboard. (It should be the first screen that appears when you log in.)
4. In the System Information widget, click Restore.
A dialog should appear where you can select which configuration backup file to restore.
5. Click Upload to select which backup file to restore.
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 19
6. On your desktop, select the file named Resources\FortiGate-I\Introduction\local-initial.conf,
then click OK. Click OK again to confirm.
After your browser uploads the configuration, the FortiGate will automatically reboot.
7. Refresh the web page and log in again to the Local-FortiGate GUI.
8. Go to Network > Interfaces and verify that the network interface settings were restored.
9. Go to Network > Static Routes. Verify that the default route was restored.
Making Configuration Backups
You will create a file with the backup of the FortiGate's current configuration.
To make a configuration backup
1. In the Local-FortiGate GUI, go to the Dashboard.
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 20
2. In the System Information widget, click Backup.
3. Enable Encryption.
4. Enter the password fortinet twice and click the OK.
5. Save the encrypted configuration file to the Downloads folder.
Caution: Always back up the configuration file before changing your device (even if the
change seems minor or unimportant). There is no undo. Restoring a backup will allow you to
quickly revert changes if you discover problems.
Restoring an Encrypted Configuration Backup
In this procedure you will restore the configuration backup that you created in the previous procedure.
To restore an encrypted configuration backup
1. In the Local-FortiGate GUI, got to the Dashboard.
2. From the System Information widget, click Restore.
3. Click Upload and select the file that you downloaded in the previous procedure.
4. Click OK.
Notice that, this time, you must enter the password fortinet.
Comparing Both Configuration Files
You will open both configuration files with Notepad++ and look at the differences.
To compare both configuration files.
1. Start Notepad++ by clicking its icon in the Windows task bar:
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 21
2. Open the file with the encrypted configuration backup.
3. Start another instance of Notepad++ and open the initial file you restored:
Resources\FortiGate-I\Introduction\local-initial.conf
4. Compare the details in both.
Note: In both the clear-text and encrypted configuration files, the top acts as a
header, listing the firmware and model information that this configuration
belongs to.
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 22
3 Administrative Accounts
FortiGate offers great flexibility for configuring administrator privileges. You can specify the IP
addresses administrators are allowed to connect from. This lab includes some procedures related to
working with administrative accounts.
Creating an Administrator Profile
In this procedure, you will create a new administrator profile with read-only access to most of the
configuration settings.
To configure an administrator profile
1. From the Local-FortiGate GUI, go to System > Admin Profiles.
2. Click Create New and create a new profile called Security_Admin_Profile.
3. Set Security Profile Configuration to Read-Write, but set all other permissions to Read Only.
4. Click OK to save the changes.
Creating an Administrator Account
In this procedure, you will create a new administrator account. The account will be assigned to the
administrator profile created in the previous procedure. This administrator will have only read-only
access to most of the configuration settings.
To create an administrator account
1. In the Local-FortiGate GUI, go to System > Administrators.
2. Click Create New to add a new administrator account. Configure the following settings:
Field
Value
User Name
Security_Admin
Password
fortinet
Confirm Password
fortinet
Type
Local User
Administrator Profile
Security_Admin_Profile
Note: Administrator names and passwords are case sensitive. You cannot include
characters such as < > ( ) # " in an administrator account name or password. Spaces are
allowed, but not as the first or last character.
3. Click OK to save the changes.
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 23
Testing the New Administrator Account
In this procedure you will confirm that the new administrator account has read-write access to only the
security profiles configuration.
To test the new administrator account
1. In the Local-FortiGate GUI, log out of the admin account's GUI session.
2. Log in as Security_Admin with the password fortinet.
3. Test this administrator’s access: try to create or modify settings that are not allowed by the
account's profile.
You should see that this account can only configure security profiles and monitor FortiGuard
quotas (which are related to usage by security profiles).
Restricting Administrator Access
In this procedure you will restrict access to FortiGate administration. Only administrators connecting
from a trusted subnet will be able to access.
To restrict administrator access
1. In the Local-FortiGate GUI, log out of the Security_Admin account's GUI session.
2. Log in as admin.
3. Go to System > Administrators.
4. Edit the admin account.
5. Enable Restrict login to trusted hosts and set Trusted Host 1 to the address 10.0.2.0/24.
6. Click OK to save the changes.
Testing the Restricted Access
In this procedure you will confirm that administrators outside the subnet 10.0.2.0/24 cannot access
the FortiGate.
To test the restricted access
1. Log out of the admin account's GUI session.
2. Try to log in back using the admin account again. What is the result this time?
DO NOT REPRINT
© FORTINET
LAB 1Introduction to FortiGate
FortiGate I Student Guide 24
Because you are trying to connect from the 10.0.1.10 address, you shouldn't be able to connect.
This is because you restricted logins to only the source IP addresses in the list of trusted hosts.
3. In the virtual lab portal, click the Local-FortiGate, icon. (Alternatively, in the dropdown menu
below its icon, go to System > Open.)
4. Enter the following CLI commands to add 10.0.1.0/24 as the second trusted IP subnet
(Trusted Host 2) of the admin account:
conf sys admin
edit admin
set trusthost2 10.0.1.0/24
end
5. Try to access its GUI again. Access should be restored.
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 25
LAB 2Logging and Monitoring
In this lab, you will configure logging settings on the Local-FortiGate, configure alert email, and view
logs.
Objectives
Configure logging on FortiGate so FortiGate understands how to log traffic.
Configure threat weight.
Monitor logs through alert emails.
View logs in the Local-FortiGate GUI.
Time to Complete
Estimated: 15 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to FortiGate.
To restore the FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 26
4. Browse to Desktop > Resources > FortiGate-I > Logging and select local-logging.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 27
1 Configuring Logging on FortiGate
In order to record network activity, you must configure logging on FortiGate. In this exercise, you will
configure the logging settings, including threat weight, and then enable logging on a firewall policy.
Configuring Log Settings
Configuring log settings does not directly generate logs on FortiGate. Rather, log settings define how
logs are treated. For example, sending logs in real-time to FortiAnalyzer for storage, enabling local
traffic logging, or enabling historical FortiView.
In this exercise, you will enable disk logging so that information can appear in the FortiView
dashboards, enable Event logging, and set the GUI to display logs from disk.
To configure the log settings
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Log & Report > Log Settings.
3. Under Local Log, ensure Disk is enabled.
If disk logging is disabled, only real-time logs will appear in the FortiView dashboards.
4. Under Log Settings, complete the following:
Ensure Local Traffic Log is disabled.
These logs record traffic directly to and from FortiGate and can quickly fill up your disk if not
properly managed and monitored. For the purposes of this lab, leave this setting disabled.
Ensure Event Logging is enabled and Enable All selected.
Event logs provide all of the system information generated by the FortiGate device (they are not
caused by traffic passing through firewall policies). However, it is good practice to track and
monitor events that occur on FortiGate.
5. Under GUI Preferences, complete the following:
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 28
Ensure logs are set to display from Disk.
Ensure Resolve Hostnames is enabled. This requires FortiGate to perform reverse DNS
lookups for all the IPs and makes searching logs easier.
6. Click Apply.
Configuring Threat Weight
Threat weight allows you to set the risk values for low, medium, high, and critical levels and then apply
a threat weight to specific categories.
To configure threat weight
1. In the Local-FortiGate GUI, go to Log & Report > Threat Weight.
2. Under Web Activity, move the slider to the far right to indicate a Critical (50) risk level for the
following categories:
Malicious Websites
Hacking
Explicit Violence
Pornography
3. Click Apply.
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 29
Enabling Logging on a Firewall Policy
Now that your log settings are configured, you must enable logging on your firewall policy. Only when
enabled on a firewall policy can a log message generate (based on configured log settings).
To enable logging on a firewall policy
1. In Local-FortiGate, go to Policy & Objects > IPv4 Policy and edit the Full_Access firewall policy.
2. Under Security Profiles, enable Web Filter and select Category_Monitor from the associated
drop-down list.
The Category_Monitor web filter was pre-configured for you and is set to block the following
categories: Potentially Liable, Adult/Mature Contents, and Security Risk.
3. Under Logging Options, enable Log Allowed Traffic and select All Sessions.
Remember, you will not get logs of any kind if Log Allowed Traffic is not enabled.
4. Click OK.
You've successfully enabled logging on your firewall policy. Later in this lab, you will test these
logging settings.
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 30
2 Monitoring Logs Through Alert Email
In this exercise, you will configure alert emails, run some traffic through the Local-FortiGate, and view
alert emails.
Configuring Alert Emails
Since you can’t always be physically at the FortiGate device, you can monitor events by setting up
alert email. Alert emails provide an efficient and direct method of notifying an administrator of events.
Note: An SMTP mail server is required for alert email to operate. Since configuring a mail
server is out of scope for this lab, it has been pre-configured for you. You can view the
email service configuration through the FortiGate GUI under System > Advanced.
To configure email alerts
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Log & Report > Alert E-mail.
3. Compete the following:
Field
Value
Email from
FortiGate@training.lab
Email to
admin@training.lab
4. Enable Send alert email for the following and complete the following:
Enter an interval time of 1 minute
Select Web access blocked
Select Violation traffic detected
5. Click Apply.
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 31
Running Traffic Through Local-FortiGate
In order to generate multiple URL requests quickly so FortiGate can generate many different types of
logs, you will use the wget application to perform a spider crawl. A spider crawl ensures no content is
downloaded: only the URL is requested. This is enough to trigger content inspection.
Note: wget is a free, open source utility for accessing websites. You can use it to quickly
test your web filter settings in order to make sure you do not have any block messages
with critical websites within your infrastructure.
The pre-configured Web Filter security policy (Category_Monitor) that you enabled on your firewall
policy is set to block many of the URLs you will request. Since you also enabled logging on all
sessions in the firewall policy, FortiGate will generate web filter logs.
To run traffic through Local-FortiGate
1. From the Local-Windows VM desktop, open a Windows command prompt and type the following
command:
blacklist-urls
2. Minimize the command prompt window so the command continues to execute and continue to the
next procedure.
Viewing Alert Emails
Now that traffic is being sent through your FortiGate, you can check the admin@training.lab email to
see if any alerts have been generated based on that traffic. You configured the alert email to generate
an alert every 1 minute any time Web access is blocked and any time a violation in traffic is detected.
The log message that accompanies an alert provides more details about the traffic that caused the
alert.
To view your alert emails
1. From the Local-Windows VM desktop, open Mozilla Thunderbird.
2. Select the inbox of the admin@training.lab email account and click Get Messages.
You should see a message in the admin inbox with a subject of "Message meets Alert
condition". If no email appears in the inbox, wait 30 seconds and click Get Messages again.
3. Open the email and review the log message.
As you can see in the example below (you may receive a different log email), the log message
header provides the type (utm) and subtype (webfilter) and the log message body provides
information about the Web Filter security profile that was applied to the traffic
(Category_Monitor), the action it took (blocked), and the category description of the traffic
(Gambling).
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 32
Search for this information in any of the subsequent logs messages that appear in your inbox so
you can better identify and understand your logs.
Note: To review more logs, click Get Messages in your admin inbox again. You
configured your alert email to send messages that meet the alert condition every 1 minute.
4. Close the Thunderbird email client when you are done.
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 33
3 Viewing Logs in the FortiGate GUI
In this exercise, you will view logs through both the Log & Report and FortiView menus of the
FortiGate GUI. You will also configure filter options to locate specific logs.
To view logs from Log & Report
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Log & Report > Forward Traffic to view logs from the Forward Traffic page.
3. To narrow down the logs (results), click Add Filter from the search bar and add some filters. For
example:
Select Date/Time and click Last 5 minutes to see the most recent logs generated.
Select Security Action and Blocked to see all blocked traffic.
Select Threat Score and enter >=50 to see all Web activity at the Critical (50) risk level.
Remember you set Malicious Websites, Hacking, Explicit Violence, and Pornography to the critical
risk level.
Note: If the information on which you are filtering does not appear in the table, you may
need to add the related column to the table. To do so, right-click any column in the table
and select the column you want to add. For example, to view the Threat Score column,
add Threat Score. The table refreshes with the new column added.
4. Go to Log & Report > Web Filter to view the logs from the Web Filter page.
Note: The Web Filter logs section will not display if there are no web filtering logs.
FortiGate will show it after creating logs. If this menu item does not display, log out
from the FortiGate GUI and log in again to refresh it.
5. To narrow down the logs (results), click Add Filter from the search bar and add some filters.
For example:
DO NOT REPRINT
© FORTINET
LAB 2Logging and Monitoring
FortiGate I Student Guide 34
Select Action and Blocked to see all blocked traffic.
Select Category Description and select a category. For example: Hacking.
6. Continue to the next procedure.
To view logs from FortiView
1. In the Local-FortiGate GUI, go to FortiView > Web Sites.
By default, the search settings are set to display logs being created now. If wget has stopped
running and no more logs are being created currently, the page will be blank. This is expected.
2. Use the search settings to display the Web activity in a different way. For example:
Select Categories and 1 hour to see the most accessed Web categories in the last hour.
Click the table icon ( ) and select Bubble Chart.
Use the Sort By drop-down list to display the information by Threat Score, Sessions, or
Bytes.
3. Close the Windows command prompt to stop running traffic through Local-FortiGate.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 35
LAB 3Firewall Policies
Objectives
Configure firewall objects and firewall policies.
Configure source match options available firewall policies.
Apply firewall service and schedule to firewall policy.
Configure firewall policy logging options.
Configure firewall policies based on device types.
Reorder firewall policies.
Read and understand logs.
Use policy lookup to find matching policy.
Time to Complete
Estimated: 35 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to the Local-FortiGate.
To restore the Local-FortiGate configuration file
1. On the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate GUI
at 10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 36
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > Firewall-Policies and select local-
firewall-policy.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 37
1 Creating Firewall Address Objects and
Firewall Policies
In this exercise, you will configure firewall address objects. You will also configure IPv4 firewall policy
to which you will apply firewall address objects along with schedule, services and log options. Then
you will test the firewall policy by passing traffic through it and check the logs for your traffic.
At its core, FortiGate is a firewall, so almost everything that it does to your traffic is linked into your
firewall policies.
Creating Firewall Address Objects
FortiGate has many pre-configured well known address object in factory default configuration.
However if they don’t meet your organization needs you can configure more.
To create a firewall address object
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > Addresses.
3. Go to Create New > Address.
4. Configure the following settings:
Field
Value
Name
LOCAL_SUBNET
Type
IP/Netmask
Subnet / IP Range
10.0.1.0/24
Interface
any
5. Click OK.
Creating a Firewall Policy
First, you will disable the existing firewall policy. Then, you will create more specific firewall policy
using the firewall address object that you created in the previous procedure. You will also select
specific services and configure log settings.
To disable an existing firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right-click on the Seq.# column for Full_Access firewall policy.
3. Select Status and click Disable.
To create a firewall policy
1. From the Policy & Objects > IPv4 Policy section, click Create New to add a new firewall policy.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 38
2. Configure these settings:
Field
Value
Name
Internet_Access
Incoming Interface
port3
Outgoing Interface
port1
Source
LOCAL_SUBNET
Destination Address
all
Schedule
always
Service
HTTP, HTTPS, DNS, ALL_ICMP, SSH
(Tip: Type the name in the search box on right hand
side and click on services to add.)
Action
ACCEPT
NAT
Enable
Log Allowed Traffic
Enable and select All Sessions
Generate Logs when Session Starts
Enable
Enable this policy
Enable
3. Leave all other settings at their default and click OK to save the changes.
Note: When creating firewall policies, remember that FortiGate is a stateful firewall. As a
result, you only need to create one firewall policy that matches the direction of the traffic
that initiates the session.
Testing the Firewall Policy and Viewing Generated Logs
Now you have configured the firewall policy, you will test it by passing traffic through it and viewing the
generated logs.
To test and view logs for a firewall policy
1. From the Local-Windows VM, open a web browser and connect to various external web sites such
as www.fortinet.com, www.bbc.com.
2. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
3. Right-click on the Seq.# column of the Internet_Access policy.
4. Click Show Matching Logs.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 39
5. Identify the log entries for your Internet browsing traffic.
With the current settings, you should have many log messages with Accept: session start in
Result column. These are the session start logs.
When sessions close, you will have a separate log entry for the amount of data sent and received.
Note: Logging session starts will generate twice the amount of log messages. You should
use this option only when this level of detail is absolutely necessary.
Note: When you click Show Matching Logs in the firewall policy, it adds Policy UUID filter
in forward traffic logs.
6. In the Forward Traffic logs, click X to remove the Policy UUID filter.
When you remove the Policy UUID filter, the logs shows unfiltered. We will use the logs in
upcoming labs.
7. Close all other browser tabs except Local-FortiGate GUI.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 40
2 Reordering Firewall Policies and
Firewall Policy Actions
In the applicable interface pair’s section, FortiGate will look for a matching policy, beginning at the top.
So usually you should put more specific policies at the top; otherwise, more general policies will match
the traffic first, and your more granular policies will never be applied.
In this exercise, you will create a new firewall policy with more specific settings such as source,
destination, service and action set to deny. Then you will move this firewall policy above the existing
firewall policies and observe the behavior of firewall policy reordering.
Creating a Firewall Policy
You will create a new firewall policy to match a specific source, destination, service, and action set to
deny.
Note: The firewall address LINUX_ETH1 with IP/Netmask 10.200.1.254/32 is
preconfigured for you, and you will be using this address when you create the firewall
policy.
To create a firewall policy
1. On the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate GUI
at 10.0.1.254.
2. Go to Policy & Objects > IPv4 Policy and click Create New.
3. Configure these settings:
Field
Value
Name
Block_Ping
Incoming Interface
port3
Outgoing Interface
port1
Source
LOCAL_SUBNET
Destination Address
LINUX_ETH1
Schedule
always
Service
PING
(Tip: Type the name in the search box on right hand
side and click on services to add.)
Action
DENY
Log Violation Traffic
Enable
Enable this policy
Enable
4. Click OK to save the changes.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 41
Adding Policy ID Column
The policy sequence number defines the order in which firewall policies match the traffic from top to
bottom. CLI commands use the policy ID instead of the policy sequence number. When policies are
moved, the policy sequence number changes accordingly, but the value that sticks with the firewall
policy is the policy ID.
To add a policy ID Column
1. In to Policy & Objects > IPv4 Policy section, right-click on any of the column headings and select
ID from Available Columns.
2. Scroll to the bottom and click Apply to save the changes.
3. You can drag the ID column to where you want it positioned in the column list.
Testing the Reordering of a Firewall Policy
Now that your configuration is ready, you will test by moving the Block_Ping firewall policy above
Internet_Access firewall policy. The objective to confirm that after reordering the firewall policy, traffic
is matched to a more specific firewall policy, the policy ID remains same, and sequence number
changes.
To confirm traffic matches to a more granular firewall policy after reordering the firewall policy
1. From the Local-Windows VM, open a command prompt.
2. Ping the destination address (LINUX_ETH1) that you configured in the Block_Ping firewall
policy.
ping t 10.200.1.254
If you have not changed the rule ordering, the ping should still work because it matches the
ACCEPT policy and not the DENY policy that you created. This demonstrates the behavior of
policy ordering. The Block_Ping policy was never checked, because the traffic matched the
policy at the top (Internet_Access).
3. Leave this window open and perform the next step.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 42
4. In the Policy & Objects > IPv4 Policy section, notice the current Seq.# number and ID (policy ID)
for both of these firewall policies.
5. Click the Seq.# for the Block_Ping firewall policy.
6. Drag it above the Internet_Access firewall policy.
When you move up the Block_Ping policy, the Seq.# number changes, but ID (policy ID) remains
the same.
7. Return to the Local-Windows VM and look at the command prompt window that is still running the
continuous ping.
You should see that the traffic is now blocked and the replies appear as Request timed out.
This demonstrates the outcome of the policy reordering. After moving the more granular policy
above the general access policy, the traffic is matched to the more granular policy and, based on
the action DENY, the traffic stops processing.
8. Close the command prompt window.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 43
3 Device Identification
FortiGate can match the traffic by device type by selecting the device in the source field. There are two
types of device identification:
Agentless device identification uses traffic from the device and devices indexed by their MAC
address.
Agent-based device identification uses FortiClient which send its unique FortiClient ID to
FortiGate.
In this lab, you will use the agentless device identification technique. You will add the device in the
source field to the existing firewall policy and observe the firewall policy source matching behavior.
Disabling Existing Firewall Policy
First, you will disable the Block_Ping firewall policy and your traffic will match to the Internet_Access
firewall policy.
To disable existing firewall policy
1. On the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate GUI
at 10.0.1.254.
2. Go to Policy & Objects > IPv4 Policy.
3. Right-click on the Seq.# column for Block_Ping firewall policy.
4. Select Status and click on Disable.
Configuring and Testing Device Identification
Now, you will run a continuous ping to an IP address. To test the firewall policy source matching
behavior, you will add a non-matching device, such as Linux PC, to the source field.
To configure and test device identification
1. On the Local-Windows VM, open a command prompt.
2. Run a continuous ping to 10.200.1.254. Enter:
ping t 10.200.1.254
3. In the Policy & Objects > IPv4 Policy on the Local-FortiGate GUI, right click the Seq.# column
for Internet_Access firewall policy.
4. Click Edit.
5. Select Source.
6. On the right hand side, select Device.
7. Click Linux PC.
You are choosing a device type that doesn’t match your device (Windows).
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 44
8. Click OK.
FortiGate will notify you that this action enables device identification on the source interface.
9. Click OK.
Note: If you enable a source device type in the firewall policy, FortiGate enables device
detection on the source interface(s) of the policy,
10. Return to the command prompt on the Local-Windows VM, where you were running continuous
ping.
You should see that traffic is blocked.
11. On the Local-Windows VM, try browsing the Internet by opening web browsers and connecting to
various external web sites such as www.fortinet.com, www.bbc.com.
Confirm the firewall blocks this traffic.
The traffic is blocked because the source device type in the firewall policy is set to Linux-PC,
which does not match the Windows device from which the traffic is generated.
Modify the Implicit Deny Firewall Policy
FortiGate checks from top to bottom to find a firewall policy that matches the traffic. If none of the
firewall policies match the traffic, the default implicit deny firewall policy drops the traffic.
To confirm that the traffic is dropped by the implicit deny policy, you will enable logging on the
implicit firewall policy and then check the logs.
To enable logging on the implicit deny firewall policy
1. In Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click the Seq.# column for the Implicit Deny firewall policy.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 45
3. Click Edit.
4. Enable Log Violation Traffic.
5. Click OK.
To confirm traffic is dropped by the implicit deny firewall policy
1. In Local-FortiGate GUI, go to Log & Report > Forward Traffic.
2. Confirm there are logging entries for the denied ping traffic.
Reconfiguring Device Identification
Now you will edit the Internet_Access firewall policy and add a Windows PC to match your Local-
Windows VM. You will see that the traffic will be allowed by this policy after you add a matching source
device.
To reconfiguring device identification
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click on the Source column for the Internet_Access firewall policy.
3. Click Select Entries.
4. Click Device.
5. Click Windows PC to select it.
6. Click Linux PC to unselect it.
7. Click OK.
To confirm traffic is allowed by a firewall policy
1. On the Local-Windows VM, return to the continuous ping that you started previously.
You should see that traffic is allowed.
2. Close the command prompt window.
3. On the Local-Windows VM, try browsing the Internet by opening web browsers and connecting
to various external web sites such as www.yahoo.com, www.google.com.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 46
Confirm that the firewall allows this traffic.
Viewing the Details of an Identified Device
Once a device is identified, FortiGate updates its list of devices and caches the list to the flash disk to
speed up detection. You can view the details of an identified device. These details include device type,
detection method, and IP address to name a few.
To view the details of identified device
1. In the Local-FortiGate GUI, go to User & Device > Device Inventory.
2. Click the + sign to expand the list.
3. Review the details of your detected host device.
You can see device details, such as IP address, interface, status, and more.
4. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
5. Log in as admin and execute the following command to view detection method and other device
details:
diagnose user device list
Adding an Identified Device to the Configuration File
The identified device is cached on the FortiGate and is not added to the configuration file. You will
be adding the identified device to the configuration file by adding an alias to the device.
To add an identified device to the configuration file
1. In a LOCAL-FORTIGATE PuTTY session, run the following command to confirm that there are
no devices in the configuration file:
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 47
show user device
2. In the Local-FortiGate GUI, go to User & Device > Device Inventory.
3. Click on your device.
4. Click Edit.
5. Configure the following:
Field
Value
Alias
MyDevice
This creates a static device in the configuration file.
6. Click OK.
7. In the LOCAL-FORTIGATE PuTTY session, run the following command to confirm that the device
now appears in the configuration file as a permanent device:
show user device
8. In the Local-FortiGate GUI, go to User & Device > Custom Devices & Groups.
Note that your device is listed under Custom Devices.
Adding a Custom Device to the Firewall Policy
Now that you've added your device as a custom device, you'll add it to the firewall policy.
To add a custom device to the firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click the Source column for Internet_Access firewall policy.
3. Click Select Entries.
4. Click Device on the right hand side.
5. Click Windows PC to unselect it.
6. Under CUSTOM DEVICE, click MyDevice to select it.
7. Click OK.
To confirm traffic is allowed by the firewall policy
1. On the Local-Windows VM, try browsing the Internet by opening web browsers and connecting
to various external web sites such as www.yahoo.com, www.google.com.
Confirm that the firewall allows this traffic.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 48
4 Policy Lookup
FortiGate can find a matching firewall policy based on the policy lookup input criteria. It is basically
creating packet flow over FortiGate without real traffic. From this packet flow, the FortiGate can extract
a policy ID and highlight it on the GUI policy configuration page.
In this lab, you will use the policy lookup feature to find matching firewall policy based on input criteria.
Enabling Existing Firewall Policies
As they were during the configuration and testing the of the firewall policies in the previous labs, most
of the configured firewall policies are currently disabled. Now, you will enable the existing firewall
policies.
To enable existing firewall policies
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > IPv4 Policy.
3. Right-click on the Seq.# column for the Fortinet firewall policy.
4. Select Status and click Enable.
5. Right-click the Seq.# column for the Full_Access firewall policy.
6. Select Status and click Enable.
Setting Up and Testing Policy Lookup Criteria
Now, you will set up the policy lookup criteria. FortiGate will search and highlight the matching firewall
policy based on your input criteria.
To set up and test policy lookup criteria
1. In the Policy & Objects > IPv4 Policy, click Policy Lookup.
2. Set the following:
Field
Value
Source Interface
port3
Protocol
TCP
Source
10.0.1.100
Source Port
Leave it blank
Destination
fortinet.com
Destination Port
443
3. Click Search.
The search will match the Full_Access policy, but not the more specific firewall policy,
Fortinet.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 49
In the search criteria, the source address is set to 10.0.1.100. This source address is not a part
of firewall policy named Fortinet; therefore, the search does not match the Fortinet firewall policy.
Note: When the FortiGate is performing policy lookup, it does a series of checks on
ingress, stateful inspection, and egress for the matching firewall policy. It performs the
checks from top to bottom, before providing results for the matching policy.
4. Click Policy Lookup and change the Source to 10.0.1.10.
Make sure all the other settings match the settings you used in step 2.
5. Click Search.
This time the search matches policy named Fortinet, in which destination is set to FQDN.
Reordering the Firewall Policy
Now you will reorder the firewall policies. You will be moving the Block_Ping firewall policy above the
Full_Access policy.
To reorder the firewall policy
1. In Policy & Objects > IPv4 Policy, click the Seq.# column for the Block_Ping firewall policy.
2. Drag it above the Full_Access firewall policy.
3. The order of your firewall policies should look similar to this:
Retesting Policy Lookup After Reordering the Firewall
Policies
Now you will test the policy lookup feature after reordering the firewall policies.
DO NOT REPRINT
© FORTINET
LAB 3Firewall Policies
FortiGate I Student Guide 50
To retest policy lookup after reordering firewall policies
1. In Policy & Objects > IPv4 Policy, click Policy Lookup.
2. Set the following for Policy Lookup:
Field
Value
Source Interface
port3
Protocol
ICMP
ICMP Type
8
ICMP Code
0
Source
10.0.1.100
Destination
10.200.1.254
3. Click Search.
The search will match the Full_Access policy, but not the more specific policy Block_Ping,
because it is disabled.
4. Right click the Seq.# column of the Block_Ping policy and set the Status to Enable.
5. Click Search.
This time the search matches more specific and enabled policy, Block_Ping.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 51
LAB 4Network Address
Translation (NAT)
NAT is used to perform source NAT and destination NAT for the traffic passing through FortiGate.
There are two ways to configure source NAT (SNAT) and destination NAT (DNAT).
firewall policy NAT
central NAT
In this lab, you will configure and test firewall policy NAT for SNAT using IP pool, and for DNAT using
virtual IP (VIP).
You will also enable central NAT. You will configure and test SNAT using central SNAT policy and
DNAT using DNAT policy and VIPs.
Objectives
Configure destination NAT settings using a VIP.
Configure the source NAT settings using overload IP pools.
Enable central NAT.
Configure a central NAT policy for the source NAT.
Configure DNAT and VIPs for the destination NAT .
Time to Complete
Estimated: 50 minutes
Prerequisites
Before starting the procedures in this lab, you must restore a configuration file to each FortiGate.
Note: Make sure to restore the correct configuration in each FortiGate as following the steps below.
Failure to restore proper configuration in each FortiGate will prevent you from doing the lab exercise.
To restore the Remote-FortiGate configuration file
1. On the Local-Windows VM, open a web browser and log in as admin to the Remote-FortiGate
GUI at 10.200.3.1.
2. Go to Dashboard, and from the System Information widget click Restore.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 52
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > NAT and select remote-nat.conf.
5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file
1. On the Local-Windows VM, open a new web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > NAT and select local-nat.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 53
1 Access Through VIPs
VIP addresses are typically used to NAT external or public IP addresses to internal or private IP
addresses.
In this exercise, you will configure a VIP address for the Local-Windows VM. Then you will create an
egress-to-ingress firewall policy and apply a VIP address. This will allow Internet connections to the
Local-Windows VM. You will also verify the destination NAT and source NAT behavior using CLI
commands.
Creating a VIP
In FortiGate, a VIP is a destination NAT (DNAT) and can only be selected in a firewall policy’s
destination address field.
In this procedure, you will configure the VIP to map the Local-Windows VM (10.0.1.10) to
10.200.1.200, which is a part of the port1 subnet. You can refer to the diagram for the lab network
topology.
To create a VIP
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > Virtual IPs.
3. Click Create New and select Virtual IP.
4. Configure the following:
Field
Value
Name
VIP-INTERNAL-HOST
Interface
port1
(port1 is connected to the Internet with IP address
10.200.1.1/24.)
External IP Address/Range
10.200.1.200 - 10.200.1.200
(This is the IP address in the same range as the port1
subnet.)
Mapped IP Address/Range
10.0.1.10
5. Click OK.
Creating a Firewall Policy
You will configure a firewall policy using the VIP that you just created as the destination address.
To create a firewall policy
1. In Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Click Create New.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 54
3. Configure these settings:
Field
Value
Name
Web-Server-Access
Incoming Interface
port1
Outgoing Interface
port3
Source
all
Destination Address
VIP-INTERNAL-HOST
Tip: Listed under the Virtual IP section
Schedule
always
Service
HTTP, HTTPS
Tip: Use the search field to locate the services.
Action
ACCEPT
4. Under Firewall/Network Options, disable NAT.
5. Under Logging Options, enable Local Allowed Traffic and select All Sessions.
6. Click OK.
Testing the VIP Firewall Policy
Now that you've configured a firewall policy with the VIP address as the destination, you can test your
VIP by accessing it from the Remote-Windows VM, which is behind Remote-FortiGate. Traffic is
routed from the Remote-FortiGate to the Local-FortiGate by a Linux machine, which is acting as a
router between these two FortiGates. For more information, see the network topology diagram.
You will also test how the source address is NATed by the VIP when traffic is leaving from the Local-
Windows VM.
To test VIPs (DNAT)
1. From the Remote-Windows VM, open a web browser and access the following URL:
http://10.200.1.200
If the VIP operation is successful, a simple web page appears.
2. Go back to the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved
session (connect over SSH).
3. Log in as admin and execute the following command to check the destination NAT entries in
the session table:
get system session list
Sample output:
Local-FortiGate# get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-
NAT
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 55
tcp 3594 10.200.3.1:49478 - 10.200.1.200:80 10.0.1.10:80
You will notice that the destination address 10.200.1.200 is translated to 10.0.1.10, which is the
mapping you configured in the VIP.
Testing Source NAT
As a result of the VIP (which is a static NAT), all NATed outgoing connections from the Local-Windows
VM (IP address 10.0.1.10) will use the VIP address to source NAT for the ingress-to-egress firewall
policy and not the egress interface IP address.
To test SNAT
1. Return to the PuTTY session the for the Local-FortiGate and execute the following command to
clear any existing sessions:
diagnose sys session clear
Note: The firewall is stateful, so any existing sessions will not use this new firewall policy
until they time out or are cleared for ingress-to-egress traffic.
This clears the session to the Local-FortiGate from the Local-Windows VM.
2. Close the PuTTY window.
3. In the Local-Windows VM, open a web browser tab and connect to a few websites. For example:
www.fortinet.com
www.yahoo.com
www.bbc.com
4. Go back to the Local-Windows VM, open a PuTTY window, and connect to the LOCAL-
FORTIGATE saved session (connect over SSH).
5. Log in as admin and execute the following command to view the session information:
get system session list
Sample output:
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 56
Note that the outgoing connections from the Local-Windows VM are now being NATed with the
VIP address 10.200.1.200, instead of the firewall egress interface IP address (10.200.1.1).
This is a behavior of the SNAT VIP. That is, when you enable SNAT on a policy, a VIP static NAT
takes priority over the destination interface IP address.
6. Close PuTTY.
7. Close all browser windows except the Local-FortiGate.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 57
2 Dynamic NAT with IP pools
IP pools are used to translate the source address to an address from that pool, rather than the egress
interface address.
Currently, the Local-FortiGate translates the source IP address of all traffic generated from the Local-
Windows VM to 10.200.1.200 because of the SNAT translation in the VIP.
In this exercise, you will create an IP pool, apply it to ingress-to-egress firewall policy, and verify the
SNAT from CLI commands.
Creating an IP Pool
In this procedure, you will create an IP pool from the range of public IP addresses available on egress
port (port1).
To create an IP pool
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > IP Pools.
3. Click Create New and configure the following settings:
Field
Value
Name
INTERNAL-HOST-EXT-IP
Type
Overload
External IP Range/Subnet
10.200.1.100 - 10.200.1.100
4. Click OK.
Editing a Firewall Policy to Use the IP Pool
Now you will apply the IP pool to change the behavior from static NAT to dynamic NAT on ingress-to-
egress firewall policy.
To edit firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right-click the Seq.# column for Full_Access firewall policy.
3. Click Edit.
4. Under Firewall/Network Options, configure the following settings:
Field
Value
NAT
Enabled
IP Pool Configuration
Use Dynamic IP Pool
Click + and select INTERNAL-HOST-EXT-IP
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 58
Your configuration will look similar to:
5. Click OK.
Testing Dynamic NAT with IP Pools
Now that your configuration is ready, you can test dynamic NAT with IP pools by browsing to a few
external sites on the Internet. If successful, you will see that the Local-Windows VM IP address
(10.0.1.10) is source NATed to the IP pool address of 10.200.1.100.
To test dynamic NAT with IP pools
1. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. Log in as admin and execute the following command to clear any existing sessions:
diagnose sys session clear
Note: The firewall is stateful, so any existing sessions will not use this updated firewall
policy until they time out or are cleared for ingress-to-egress traffic.
3. Close the PuTTY window.
4. In the Local-Windows VM, connect to a few websites. For example:
www.fortinet.com
www.yahoo.com
www.bbc.com
5. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved
session (connect over SSH).
6. Log in as admin and execute the following command to verify the source NAT IP address that
those sessions are using:
get system session list
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 59
Sample output:
Notice that the source NAT address is now 10.200.1.100 as configured in the IP pool, and the
IP pool has overridden the static NAT VIP.
7. Close PuTTY.
8. Close all browser windows except Local-FortiGate.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 60
3 Enabling Central NAT
In central NAT, SNAT and DNAT configurations are per virtual domain (VDOM). The SNAT and DNAT
configurations are automatically applied to multiple firewall policies (according to the SNAT and DNAT
rules that you specify), as opposed to each firewall policy in the firewall policy NAT.
Enabling Central NAT
In this procedure, you will enable central NAT. Central NAT can only be enabled and disabled from the
CLI.
To enable central NAT
1. From the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved
session (connect over SSH).
2. Log in as admin and try to configure the following:
config system settings
set central-nat enable
end
You will get a message similar to one below:
Note: When enabling central NAT, you must remove VIP and IP pool references from
the existing firewall policies first. The (id=N) is the firewall policy ID reference, not
Seq.#, on the GUI.
Adding a Policy ID Column
In this procedure, you will check that the ID column is displayed in the IPv4 Policy table, so you can
more easily determine which firewall policy is associated with which policy ID. In this instance, you
need to determine which policy is id=1, as per the CLI error message above.
To add the Policy ID column
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > IPv4 Policy.
3. Check if the ID column is already displayed. If it is not, right-click any of the column headings,
select ID under Available Columns and click Apply.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 61
Tip: You can drag the ID column to where you want it positioned in the column list.
You can now see that the Full_Access firewall policy is policy ID 1.
Modifying the Firewall Policy
In this procedure, you will remove the IP pool from the Full_Access firewall policy (policy ID 1), as
central NAT can only be enabled if none of the firewall policies have IP pool or VIP addresses
associated with them.
To modify the firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click Seq.# of the Full_Access firewall policy and select Edit.
3. Under Firewall/Network Options, modify the following settings:
Field
Value
NAT
Enabled
IP Pool Configuration
Use Outgoing Interface Address
4. Click OK.
Enabling Central NAT Again After Removing the IP
Pool
Now that you've removed the IP pool from the firewall policy, you can try to enable central NAT
again.
To try to enable central NAT
1. In the Local-Windows VM, go to the LOCAL-FORTIGATE PuTTY session you opened earlier.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 62
2. Try to enable central NAT again:
config system settings
set central-nat enable
end
This time you will get similar message for VIP firewall policy (id=2).
Since you already added the ID column to the IPv4 Policy page, it shows that policy ID 2 is the
firewall policy labeled Web-Server-Access.
Modifying the Firewall Policy
In this procedure, you will remove the VIP address from the Web-Server-Access firewall policy (policy
ID 2), because central NAT can only be enabled if none of the firewall policies have IP pool or VIP
addresses associated with them.
To modify the firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click on Seq.# of the Web-Server-Access firewall policy and click Edit.
3. Change the Destination Address to all.
4. Scroll to the bottom of the page and disable the policy.
5. Click OK.
Enabling Central NAT
Now that you have modified the firewall policies to remove the IP pool and VIP addresses, you can
finally enable central NAT.
To enable central NAT after removing IP pool and VIP address from firewall policies
1. In the Local-Windows VM, go to the LOCAL-FORTIGATE PuTTY session you opened earlier.
2. Enable central NAT:
config system settings
set central-nat enable
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 63
end
3. In the Local-FortiGate GUI, refresh your browser for GUI changes to take effect.
4. Go to Policy & Objects > IPv4 Policy.
You will see two options in the left menu:
Central SNAT
DNAT & Virtual IPs
5. Close the PuTTY window.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 64
4 Configuring Central SNAT
A central SNAT policy is applied to multiple firewall policies, based on configured central rule. The
NAT on the firewall policy controls whether the central SNAT is used or not.
In this exercise, you will configure a central SNAT policy and test it.
Deleting DNAT and VIPs
When central NAT is enabled, existing VIPs take precedence over source NAT. As such, you need to
delete the VIP object you added in a previous exercise so you can test the source NAT.
To delete DNAT and VIPs
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > DNAT & Virtual IPs.
3. Right click VIP-INTERNAL-HOST and click Delete .
4. Click OK.
Testing SNAT Without an SNAT Policy
In this procedure, you will test the behavior of FortiGate when an SNAT policy is not configured.
To test SNAT Without an SNAT policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IP Pools.
2. Review the settings of INTERNAL-HOST-EXT-IP.
3. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
4. Log in as admin and execute the following command to clear the existing sessions.
diagnose sys session clear
5. Close the PuTTY window.
6. In the Local-Windows VM, open a web browser and connect to a few websites. For example:
www.fortinet.com
www.yahoo.com
www.bbc.com
7. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved
session (connect over SSH).
8. Log in as admin and execute the following command to verify the SNAT IP address that those
sessions are using:
get system session list
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 65
Sample output:
Notice that the SNAT address is now 10.200.1.1, which is the egress interface IP (port1).
Note: If no central SNAT or matching central SNAT rule exists, FortiGate
automatically uses the outgoing interface IP address for the source NAT.
9. Close PuTTY.
10. Close all other browser tabs except the Local-FortiGate GUI.
Configuring Central SNAT Policy
In this procedure, you will configure a central SNAT policy using the IP pool previously created in the
last exercise.
To configure a central NAT policy
1. In the Local-FortiGate GUI, go to Policy & Objects > Central SNAT.
2. Click Create New and configure the following:
Field
Value
Source Address
all
Destination Address
all
Translated Address
INTERNAL-HOST-EXT-IP
Protocol
ANY
3. Leave all other settings at their defaults and click OK to save the changes.
Verifying that NAT is Enabled on the Firewall Policy
If NAT is enabled on the firewall policy, central SNAT is used. In this procedure, you will verify that
NAT is enabled on the firewall policy.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 66
To verify that NAT is enabled on firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Review the NAT column of the Full_Access policy to make sure NAT is enabled.
Note: There is no option for IP pools. In central SNAT, NAT on the firewall policy controls
if the central SNAT is used or not. If NAT is enabled on the firewall policy, central SNAT is
used.
Testing Central SNAT in the Presence of SNAT Policy
Now that your configuration is ready, you can test the behavior of the central SNAT policy.
To test central SNAT in presence of SNAT policy
1. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. Log in as admin and execute the following command to clear the existing sessions:
diagnose sys session clear
3. Close the PuTTY window.
4. In the Local-Windows VM, connect to a few websites. For example:
www.fortinet.com
www.yahoo.com
www.bbc.com
5. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
6. Log in as admin and execute the following command to verify the source NAT IP address that
those sessions are using:
get system session list
Sample output:
Notice that the source NAT address is now 10.200.1.100, which matches the central SNAT
policy.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 67
7. Close PuTTY.
8. Close all other browser tabs except Local-FortiGate GUI.
Creating a Second IP Pool
Now you will create a second IP Pool, which will be used later when creating a second central SNAT
policy.
To create a second IP Pool
1. In the Local-FortiGate GUI, go to Policy & Objects > IP Pools.
2. Click Create New and configure the following:
Field
Value
Name
SNAT-Pool
Type
Overload
External IP Range/Subnet
10.200.1.50 - 10.200.1.50
3. Click OK.
Creating a Second SNAT Policy
Now you will create a more granular SNAT policy by selecting a specific destination address and
protocol to match specific traffic.
To create second SNAT policy
1. In the Local-FortiGate GUI, go to Policy & Objects > Central SNAT.
2. Click Create New and configure the following:
Field
Value
Source Address
all
Destination Address
REMOTE_FORTIGATE
Translated Address
SNAT-Pool
Protocol
TCP
3. Click OK.
Reordering Central SNAT Policies
Now you will reorder the central NAT policies to put the more granular rule on top.
Similar to firewall policies, central SNAT policy is processed from top to bottom, and if a match is
found, the source address and source port translate based on that central SNAT policy.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 68
To reorder central SNAT policies
1. In the Local-FortiGate GUI, go to Policy & Objects > Central SNAT.
2. Drag the newly created central SNAT policy above the previously created central SNAT policy.
Testing Central SNAT
Now that your configuration is ready, you can test the central SNAT configuration.
To test central SNAT
1. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. Log in as admin and execute the following command to clear the existing sessions:
diagnose sys session clear
3. Again open PuTTY and connect to the LOCAL-FORTIGATE saved session (connect over SSH).
4. Log in as admin.
5. From the Local-Windows VM, open a web browser and log in as admin to the Remote-FortiGate
GUI at 10.200.3.1.
6. In the Local-Windows VM, open a command prompt.
7. Run continuous ping to the Remote-FortiGate IP:
ping 10.200.3.1 -t
8. In the Local-Windows VM, connect to a few websites. For example:
www.fortinet.com
www.yahoo.com
www.bbc.com
9. In the Local-Windows VM, go back to PuTTY session and list the sessions by running following
CLI command:
get system session list
Notice that the TCP sessions to destination 10.200.3.1 are source-NATed 10.200.1.50,
as it matches the central SNAT policy.
Sample output:
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 69
ICMP sessions to destination 10.200.3.1 are source-NATed 10.200.1.100, which matches
the central SNAT policy at the bottom.
Sample output:
Also, other TCP sessions to different destinations are translated to 10.200.1.100 based on the
matching central SNAT policy at the bottom.
Note: A Central SNAT policy is processed from top to bottom, similar to firewall policies.
10. Close the command prompt and PuTTY.
11. Close all other browser tabs except the Local-FortiGate GUI.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 70
5 DNAT and VIPs
In firewall policy NAT, Virtual IPs is selected in the firewall policy as the destination address. In central
NAT, as soon as DNAT & Virtual IPs is configured, FortiGate automatically creates a rule in the
kernel to allow DNAT to occur and no additional configuration is required.
In this exercise, you will configure and test the behavior of central DNAT.
Creating DNAT and VIPs
In this procedure, you will configure DNAT and VIPs.
To create DNAT and VIPs
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Policy & Objects > DNAT & Virtual IPs.
3. Click Create New and select DNAT & Virtual IP.
4. Configure the following settings:
Field
Value
Name
Central-DNAT
Interface
port1
Type
Static NAT (default setting)
External IP Address/Range
10.200.1.150 - 10.200.1.150
Mapped IP Address/Range
10.0.1.10
5. Click OK.
Verifying the Firewall Policy Settings
You will now verify the firewall policy settings for the egress-to-ingress firewall policy.
To verify the firewall policy settings
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click Seq.# of the Web-Server-Access firewall policy and click Edit.
3. Review the settings of firewall policy.
4. Try to select the DNAT & Virtual IPs address in firewall destination address.
You will be not able to do so.
Note: VIPs previously created cannot be selected in a firewall policy as a destination
address. As soon as a VIP is created, FortiGate automatically creates a rule in the kernel
for DNAT to occur.
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 71
5. Scroll to the bottom and enable the firewall policy
6. Click OK.
Testing DNAT and VIPs
In this procedure, you will test DNAT and V IPs by accessing the Local-Windows VM.
To test DNAT and VIPs
1. From the Remote-Windows, open a web browser and access the following URL:
http://10.200.1.150
If the VIP operation is successful a simple web page appears.
2. Go back to Local-Windows VM and open PuTTY and connect to the LOCAL-FORTIGATE saved
session (connect over SSH).
3. Log in as admin and execute the following command to check the destination NAT entries in the
session table:
get system session list
Sample output:
Local-FortiGate # get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 3599 10.200.3.1:49183 - 10.200.1.150:80 10.0.1.10:80
4. In the Local-Windows VM, open a web browser and try to access few websites. For example:
www.fortinet.com
www.yahoo.com
www.bbc.com
5. Go back to PuTTY for LOCAL-FORTIGATE and verify the SNAT IP address those sessions
are using:
get system session list
Sample output:
DO NOT REPRINT
© FORTINET
LAB 4Network Address Translation (NAT)
FortiGate I Student Guide 72
Notice that the session originating from source IP 10.0.1.10 are source NATed to
10.200.1.150 (VIP) as opposed to the central SNAT policy pool IP of 10.200.1.100. This is
expected behavior in central NAT.
Note: If both the SNAT and DNAT are defined, the egress traffic will source NAT to
the DNAT/VIP address, as opposed to the configured source SNAT policy.
6. Close PuTTY.
7. Close all other browser tabs except Local-FortiGate GUI.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 73
LAB 5Firewall Authentication
In this lab, you will configure FortiGate to communicate with a remote LDAP server for server-based
password authentication.
You will also configure captive portal, so that any user connecting to the network is prompted for their
login credentials (active authentication).
Objectives
Configure server-based password authentication with an LDAP server.
Configure captive portal so users connecting to your network are forced to authenticate.
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to FortiGate.
To restore the FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 74
4. Browse to Desktop > Resources > FortiGate-I > Firewall-Authentication and select local-
firewall-authentication.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 75
1 Remote Authentication
In this exercise, you will configure an LDAP server on FortiGate for remote authentication, create a
remote authentication group for your remote users, and add that group as a source in a firewall policy.
Finally, you will authenticate over SSL-VPN as one of the remote users, and then monitor the login as
the administrator.
Configuring an LDAP Server on FortiGate
You can configure FortiGate to point to an LDAP server for server-based password authentication
using the pre-configured Active Directory service located on the Local-Windows VM. Active Directory
already has users available to use in this lab.
To configure an LDAP Server on FortiGate
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to User & Device > LDAP Servers and click Create New.
3. Complete the following:
Field
Value
Name
ADserver
Server IP/Name
10.0.1.10
This is the IP address of the Windows Server, Local-
Windows VM. For more information, see Network Topology.
Server Port
389
This is the default port for LDAP.
Common Name Identifier
cn
This is the attribute name used to find the user name. Active
Directory calls this cn.
Distinguished Name
ou=Training,dc=trainingAD,dc=training,dc=lab
This is the domain name for Active Directory on the Windows
Server. Active Directory has already been pre-configured,
with all users located in the Training organizational unit (ou).
Bind Type
Regular
User DN
cn=ADadmin,cn=users,dc=trainingAD,dc=training,dc=lab
We are using the credentials of an Active Directory user
called ADadmin to authenticate to Active Directory. ADadmin
is located in the Users organizational unit (ou).
Password
Training!
This is the password pre-configured for the ADadmin user.
You must use it to be able to bind.
4. Click Test.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 76
You should receive an indication of a successful connection.
5. Click OK.
Assigning Remote Users to a Firewall Group
In this procedure, you will assign a user located on the LDAP server to a firewall user group called
Remote-users on FortiGate. This way, you can configure firewall policies to act on the firewall user
group.
Generally, groups are used to more effectively manage individuals that have a shared relationship.
Note: The Remote-users group was pre-configured for you. However, it needs to be
modified to add the users from the remote LDAP server you just configured in the last
procedure.
To assign a user to a user group
1. In the Local-FortiGate GUI, go to User & Device > User Groups and edit the Remote-users
group.
As you can see, it's currently configured as a firewall group.
2. To add users from the remote LDAP server, click Create New from the Remote groups table.
The Add Group Match dialog box appears.
3. From the Remote Server drop-down list, select ADserver.
4. From the LDAP Groups table, click AD-users under the Group tab in the main window and
click the Add Selected button that appears.
AD-users will appear disabled with a green checkmark, indicating it has been added.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 77
5. Click OK.
The users in this Active Directory group are now included in your FortiGate Remote-users firewall
user group. Only users from the remote LDAP server that match this user group entry can
authenticate.
6. Click OK.
Adding the Remote User Group to your Firewall Policy
Now that the LDAP server is added to the Remote-user firewall user group, you can add the group to a
firewall policy. This allows you to control access to network resources, as policy decisions are made
on the group as a whole.
Since your remote user on your LDAP server will be authenticating over SSL-VPN, you will add the
group to an SSL-VPN firewall policy.
Note: Configuring SSL-VPN is out of scope for this lab. As such, the SSL-VPN settings
have been pre-configured for you. However, you still need to configure an SSL-VPN
firewall policy and add the Remote-user group to it.
To add the remote user group to your firewall policy
1. In the Local-FortiGate GUI, go to VPN > SSL-VPN Settings and click the warning message at the
top of the page.
Clicking this warning message will create a new SSL-VPN policy for you using these pre-
configured settings.
Complete the following:
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 78
Field
Value
Name
SSL-VPN
Outgoing Interface
port1
Source
LOCAL_SUBNET
Remote-users (located under User)
Destination Address
all
Schedule
always
Service
ALL
Action
ACCEPT
2. Under Security Profiles, enable Web Filter and select Category_Monitor.
This Web Filter was pre-configured for you and is set to block the following categories: Potentially
Liable, Adult/Mature Contents, and Security Risk.
3. Under Logging Options, enable Log Allowed Traffic and select All Sessions.
4. Click OK.
5. Click OK.
The SSL-VPN Settings page re-appears. Note that web mode access for SSL VPN is listening at
https://10.0.1.254:10443.
To test whether aduser1 will be able to successfully authenticate
1. Test to see whether aduser1 will be able to successfully authenticate:
A. Open PuTTY on Local-Windows VM and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
B. Log in as admin.
C. Type the following command:
diagnose test authserver ldap <LDAP server name> <LDAP user name>
<password>
Where:
<LDAP server name> is ADserver (case-sensitive)
<LDAP user name> is aduser1
<password> is Training!
You should see something like this for a successful authentication:
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 79
2. Close PuTTY.
Authenticating and Monitoring
You will authenticate through the pre-configured SSL VPN as aduser1. This user is a member of the
Remote_users group on FortiGate.
You will then monitor the authentication.
To authenticate as a remote user
1. In the Local-Windows VM, open a new browser tab and go to https://10.0.1.254:10443.
This is the Web mode access for SSL VPN.
If you receive an error that indicates your connection is not secure, click Advanced and then
select Add Exception.
2. Log in as aduser1 with password Training!
The SSL VPN Web portal appears
3. Click Quick Connection and in the URL field, type www.google.com and click Launch.
The site launches successfully.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 80
4. Return to your browser tab with the SSL-VPN portal and click Quick Connection again. This time
in the URL field type www.gunsgunsguns.com and click Launch.
This URL is set to be blocked by the Web Filter security profile you enabled in the SSL VPN
firewall policy.
5. Remain logged into the SSL VPN portal and continue to the next procedure.
To monitor user authentications
1. Return to the browser tab where you are logged into Local-FortiGate as admin.
2. Monitor aduser1. You can view this particular login authentication from the following:
FortiView > VPN (filter on last 5 minutes and double-click the entry to view more details)
Monitor > SSL-VPN Monitor
3. View the activity of aduser1. You can check the following:
FortiView > All Sessions
Log & Report > Forward Traffic (Try filtering by user and any additional filters to get more
specific results.)
Log & Report > Web Filter (Try filtering by user and any additional filters to get more specific
results.)
4. Return to your browser tab where you are logged into the SSL VPN portal and log out.
You will notice back in the Local-FortiGate GUI (where you are logged in as admin) that Monitor
> SSL-VPN Monitor no longer shows the authentication, as the connection is not active.
However, FortiView > VPN retains the login information.
5. Close all your browser tabs except for the tab with the Local-FortiGate GUI.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 81
2 Captive Portal
In this exercise, you will configure captive portal and restrict access to a specific user group. Captive
portal is a convenient way to authenticate Web users on wired or WiFi networks through an HTML
form that requests a user name and password (active authentication).
This exercise involves creating a user group (and adding a user to it); enabling captive portal and
restricting access based on that group; and enabling the disclaimer message.
Finally, you will authenticate through captive portal and monitor the authentication.
Creating a User Group for Captive Portal
Since the goal is to enable captive portal based on a specific group, you must first create a user group
and then add a user to the group. For the purposes of this exercise, you will add the user student to
the group. Student is a local user on FortiGate that was pre-configured for you.
To create a user group for captive portal
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to User & Device > User Groups and click Create New.
3. Complete the following:
Field
Value
Name
CP-group
Type
Firewall
Members
student
4. Click OK.
Enabling Captive Portal
In this procedure, you will enable captive portal on a wired network.
To enable captive portal
1. In the Local-FortiGate GUI, go to Network > Interfaces and edit port3.
This port is your incoming traffic. For more information, see the Network Topology.
2. Complete the following under the Admission Control section:
Field
Value
Security Mode
Captive Portal
Authentication Portal
Local
User Access
Restricted to Groups
User Groups
CP-group
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 82
3. Click OK.
Enabling the Disclaimer Message
In order to provide those logging in through captive portal with a disclaimer message, you must enable
disclaimers. Since we are enabling captive portal through a wired interface, disclaimers can only be
enabled through the CLI.
Note: If captive portal is enabled through WiFi, you can enable disclaimers through the
GUI (WiFi & Switch Controller > SSID). We are using a wired interface in this lab.
To enable the disclaimer message
1. Open PuTTY on the Local-Windows VM and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. Log in as admin.
3. Type the following command:
config firewall policy
edit 1
set disclaimer enable
end
4. Close PuTTY.
Authenticating and Monitoring
Now that captive portal is configured and the disclaimer enabled, you can test it by authenticating
through captive portal as the student user. You will then monitor the authentication as the admin user.
To authenticate through captive portal
1. In the Local-Windows VM, open a new browser tab and go to any website, such as www.bbc.com.
2. When prompted, log in with username student and password fortinet.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 83
The Terms and Disclaimer Agreement dialog appears.
3. Click Yes, I agree.
Once you agree to the terms, you are redirected to the website you originally requested.
4. Open additional browser tabs and access a few more websites through captive portal, for
example:
www.youtube.com
www.cnn.com
5. Leave all browser tabs open and continue to the next procedure.
DO NOT REPRINT
© FORTINET
LAB 5Firewall Authentication
FortiGate I Student Guide 84
To monitor active captive portal authentications
1. In the Local-Windows VM, return to the browser tab where you are logged into the Local-FortiGate
GUI as admin.
2. Monitor the student user. You can view this particular login authentication from Monitor > Firewall
User Monitor.
Note: While the CLI config user setting dictates how long a user authenticating
through captive portal can remain authenticated, you can choose to manually de-
authenticate a captive portal user by selecting the user in the Firewall User Monitor list and
clicking De-authenticate. Once de-authenticated, the user disappears from the list, as it is
reserved for active users only.
3. Select student and click De-authenticate to manually end the user's session.
4. Click OK.
5. Close the browser.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 85
LAB 6SSL VPN
In this lab, you will manage user groups and portals for an SSL VPN.
Objectives
Configure and connect to an SSL VPN
Enable authentication security
Configure a firewall policies for SSL VPN users access to private network resources
Time to Complete
Estimated: 25 minutes
Prerequisites
Before beginning this lab, you must restore configuration file to the Local-FortiGate.
To restore the Local-FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Click Upload, browse to Desktop > Resources > FortiGate-I > Introduction and select
local-ssl-vpn.conf.
4. Click OK.
5. Click OK.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 86
1 Web-Only SSL VPN
FortiGate SSL VPN supports three operation modes: web-only, port forward and tunnel. During this
lab exercise you will test the web-only mode. The VPN in this lab will allow VPN users connecting from
the Remote-Windows VM to access the local subnet (10.0.1.0/24).
Configuring the SSL VPN Settings
This procedure configures the SSL VPN settings.
To configure the SSL VPN settings
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to VPN > SSL-VPN Settings.
3. Under the Connection Settings, configure the following values:
Field
Value
Listen on Interface(s)
port1
Listen on Port
10443
Restrict Access
Allow access from any host
Inactive For
3000 seconds
Server Certificate
Fortinet_Factory
4. Under the Tunnel Mode Client Settings, select Automatic assign addresses.
5. Under the Authentication/Portal Mapping, select All Other Users/Groups and click Edit:
6. Select the portal web-access from the drop-down list and click OK.
7. Click Apply to save all the changes.
8. Click OK to confirm the use of the built-in certificate.
Creating a Firewall Policy for SSL VPN
This procedure will create a firewall policy to allow traffic from SSL VPN users to the local subnet
(10.0.1.0/24).
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 87
To create a firewall policy for SSL VPN
1. In the Local-FortiGate, go to Policy & Objects > IPv4 Policy.
2. Click Create New and add the following firewall policy:
Field
Value
Name
SSL VPN Access
Incoming Interface
SSL-VPN tunnel interface
Outgoing Interface
port3
Source
SSLVPN_TUNNEL_ADDR1
SSL_VPN_USERS
Destination Address
LOCAL_SUBNET
Schedule
always
Service
ALL
Action
ACCEPT
3. Disable NAT and click OK.
4. Click OK to confirm the use of the built-in certificate.
Testing the SSL VPN
Now you will test the SSL VPN by connecting from the Remote-Windows VM.
To test the SSL VPN
1. Connect to the Remote-Windows VM.
2. Open Firefox and connect to:
https://10.200.1.1:10443/
3. To accept the security warning, click Advanced and select Add Exception.
4. Click Confirm Security Exception.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 88
Stop and Think
Why did you get this security warning?
For SSL connections, the FortiGate is using a built-in certificate, which is signed by a
certificate authority that the browser does not trust. In the Certificate Operations lesson of
the FortiGate II course, you can learn more about why this happens and how to fix it.
5. Log in as student with the password fortinet.
Notice that the web portal is using its default settings.
6. Log out:
Adding a Bookmark to the Portal
Using this procedure, you will add a bookmark to the portal.
To add a bookmark to the portal
1. Go back to the Local-Windows VM and connect to the Local-FortiGate GUI.
2. Go to VPN >SSL-VPN Portals.
3. Click the web-access row, and then click Edit.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 89
4. In the Predefined Bookmarks section, click Create New. Configure these settings:
Field
Value
Name
Local-Windows VM
Type
HTTP/HTTPS
URL
http://10.0.1.10
Single Sign-On
Disabled
5. Click OK to close the bookmark.
6. Click OK again to save the portal's settings.
Testing the Bookmark
You will connect to the SSL VPN tunnel again from the Remote-Windows VM and confirm that you can
access 10.0.1.10 from the bookmark.
To test the bookmark
1. From the Remote-Windows VM, open Firefox and connect to the SSL VPN portal again:
https://10.200.1.1:10443
2. Log in using the account student with the password fortinet.
3. Click on the Local-Windows VM bookmark.
4. You will connect to the web server running in the Local-Windows VM (10.0.1.10).
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 90
Examining the Web-Only (Reverse HTTP Proxy)
Mechanism
Observe the URL in the address bar.
What does it mean?
To examine the reverse HTTP proxy mechanism
1. In the browser's address bar, notice the URL.
https://10.200.1.1:10443/proxy/..../http/10.0.1.10/
If you were on the local network while accessing the website, the address would be
http://10.0.1.10. But, since you are accessing it remotely, through FortiGate's HTTP proxy, the
URL is different.
Part of the URL
Description
https://10.200.1.1:10443
Indicates that the connection is SSL/TLS-
encrypted, and that the portal is on FortiGate's
port1 SSL VPN gateway.
/proxy/..../http/
Indicates that the connection is being handled by
FortiGate's HTTP reverse proxy.
10.0.1.10/
Indicates the destination IP address of the website
inside your private network, which you are
accessing through the VPN.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 91
Note: The FortiGate encrypts the connection to the browser. But the destination server's
IP address in the URL is displayed in clear text, not hidden from users. The secondary
connection, from FortiGate's HTTP proxy to the bookmarked website, is not encrypted.
Disconnecting an SSL VPN User
This procedure shows how to disconnect an SSL VPN user from the FortiGate GUI.
To disconnect an SSL VPN user
1. From the Local-Windows VM, connect back to the Local-FortiGate GUI.
2. Go to Monitor > SSL-VPN Monitor.
3. Right click on the user student and select End Session.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 92
2 SSL VPN Tunnel Mode
In this exercise, your will change the SSL VPN configuration to support tunnel mode.
Adding Tunnel Mode
The SSL VPN portal associated with each user group determines who has tunnel mode access. You
will change the SSL VPN configuration to use the portal full-access, which supports tunnel mode.
To add tunnel mode
1. In the Local-FortiGate GUI, go to VPN > SSL-VPN Settings.
2. Under the Authentication/Portal Mapping, select All Other Users/Groups and click Edit:
3. Select full-access and click OK.
4. Click Apply.
5. Click OK to confirm the use of the built-in certificate.
Configuring the Routing for Tunnel Mode
In tunnel mode, the FortiClient installs one or more routes in the SSL VPN client once the tunnel is
connected. In this way, traffic destined to the internal subnets is properly routed through the tunnel.
To configure the routing for tunnel mode
1. In the Local-FortiGate GUI, go to VPN > SSL-VPN Portal.
2. Select the full-access portal and click Edit.
3. Set the Routing Address to LOCAL_SUBNET:
4. Click OK.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 93
Configuring FortiClient for SSL VPN
Connecting SSL VPN tunnel mode requires FortiClient. You will use the FortiClient installed in the
Remote-Windows VM to test your configuration.
To configure FortiClient for SSL VPN
1. From the Remote-Windows VM, start FortiClient.
2. Click Configure VPN.
3. Select the SSL-VPLN tab and configure the following settings:
Field
Value
Connection Name
Local-FortiGate
Remote Gateway
10.200.1.1
Customize port
Enabled and 10443
4. Click Apply.
5. Click Close.
Testing the Tunnel Mode
You will connect using the student account to test the tunnel mode.
To test the tunnel mode
1. In the Remote-Windows VM. Open FortiClient and enter the username student with the
password fortinet.
DO NOT REPRINT
© FORTINET
LAB 6SSL VPN
FortiGate I Student Guide 94
2. Click Connect.
3. Click Yes to accept the certificate.
4. Wait a few seconds and open FortiClient again. You should observe that the tunnel is connected.
5. Open Firefox and access the URL:
http://10.0.1.10
Observe that you are now using the web server URL as if you were connected locally. You are
not using the reverse HTTP proxy as in the case of web-only mode. Your IP traffic is directly
encapsulated over HTTPS and sent through the tunnel.
6. Go back to FortiClient and click Disconnect.
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 95
LAB 7Basic IPsec VPN
In this lab, you will configure a point-to-point IPsec VPN between two FortiGate devices.
Objectives
Identify the phases of Internet Key Exchange (IKEv1).
Compare route-based to policy-based VPNs.
Deploy a site-to-site VPN between two FortiGates.
Monitor VPN tunnels.
Time to Complete
Estimated: 30 minutes
Prerequisites
Before beginning this lab, you must restore configuration files to the Local-FortiGate and Remote-
FortiGate.
To restore the Remote-FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Remote-FortiGate GUI
at 10.200.3.1.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 96
4. Browse to Desktop > Resources > FortiGate-I > Introduction and select remote-
initial.conf.
5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > Introduction and select local-
initial.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 97
1 Route-based IPsec VPN
During this lab you will configure an IPsec tunnel between the Local-FortiGate and the Remote-
FortiGate for communication between the Local-Windows VM and Remote-Windows.
Creating a VPN Using the VPN Wizard
You will configure the Local-FortiGate side using the VPN wizard, which creates the IPsec in route-
based mode.
To create a VPN using the VPN wizard
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to VPN > IPsec Tunnels.
3. Click Create New.
4. Configure the following settings:
Field
Value
Name
ToRemote
Template Type
Site to Site
Remote Device Type
FortiGate
NAT Configuration
No NAT between sites
5. Click Next .
6. Configure the following settings:
Field
Value
Remote Device
IP Address
IP Address
10.200.3.1
Outgoing interface
port1
Authentication Method
Pre-shared Key
Pre-shared Key
fortinet
7. Click Next.
8. Configure the following settings:
Field
Value
Local Interface
port3
Local Subnets
10.0.1.0/24
Remote Subnets
10.0.2.0/24
9. Click Create. You should see the following screen:
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 98
10. Click Show Tunnel List. You will see the VPN you have just created:
Reviewing the Objects Created By the VPN Wizard
You will review what was created by the VPN wizard.
To review the objects created by the VPN wizard
1. In the Local-FortiGate GUI, go to VPN > IPsec Tunnels.
2. Select the VPN and click Edit. Observer the quick mode selectors that the wizard configured for
you:
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 99
You will need this information to configure the other FortiGate. The quick mode selectors in both
sides must mirror each other. In other words, the Local Address in one side must match the
Remote Address in the other side.
3. Go to Network > Interfaces.
4. Click on the plus sign added to port1. You will see a new virtual interface named ToRemote
(matching the phase 1 name).
Stop and Think
What does this virtual interface tell us about the VPN created by the wizard? Is it policy-
based or route-based?
Discussion
The wizard created the VPN using a route-based configuration. The FortiGate
automatically adds an IPsec virtual interface for each VPN configured as route-based. This
does not happen in a policy-based configuration.
A route-based VPN requires firewall policies and at least one route to the remote network. As
you will see, the wizard has created all these additional objects for you.
5. Go to Policy & Objects > Addresses and observe two new Firewall address objects:
ToRemote_local_subnet_1, and ToRemote_remote_subnet_1.
6. Go to Policy & Objects > IPv4 Policy and observe the new two firewall policies: one from
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 100
port3 to ToRemote and another one from ToRemote to port3. You will see that the Action is
both cases is ACCEPT.
7. Go to Network > Static Routes and look at the static route added by the wizard.
You have completed the VPN configuration on the Local-FortiGate side. In the next exercise you will
do the configuration on the Remote-FortiGate side.
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 101
2 Policy-based IPsec VPN
For learning purposes, you will do the configuration in both FortiGates differently. During this exercise
you will create the VPN on the Remote-FortiGate side without using the wizard and using a policy-
based configuration.
Un-hiding the Policy-based VPN Settings
Policy-based configuration is hidden from the GUI by default. You will un-hide it.
To un-hide the policy-based VPN settings
1. From the Local-Windows VM, open a browser and log in as admin to the Remote-FortiGate GUI at
10.200.3.1.
2. Go to System > Feature Select.
3. Enable Policy-based IPsec VPN.
4. Click Apply.
Creating a Policy-based VPN
You will create the phases 1 and 2.
To create a policy-based VPN
1. In the Remote-FortiGate GUI, go to VPN > IPsec Tunnels.
2. Click Create New.
3. Type the name ToLocal and select Custom as the template name.
4. Click Next.
5. Disable the setting Enable IPsec Interface Mode:
6. Configure the following settings:
Field
Value
Remote Gateway
Static IP Address
IP Address
10.200.1.1
Interface
port4
Mode Config
Disabled
NAT Transversal
Disabled
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 102
Dead Peer Detection
On Idle
Method
Pre-shared Key
Pre-shared Key
fortinet
7. Leave the other parameters with its default values and scroll down the windows to display the
phase 2 settings. Click the pencil icon to edit the Phase 2 Selectors:
8. Enter 10.0.2.0/24 as the Local Address and 10.0.1.0/24 as the Remote Address:
9. Click OK.
Creating a Firewall Policy for Policy-based VPN
The last step is to create a firewall policy to allow traffic. In a policy-based configuration only one
policy is required to allow traffic initiated at either side. The policy is applied bi-directionally.
To create a firewall policy for policy-based VPN
1. In the Remote-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
Note: Now the quick mode selectors in both sides mirror each other. If that is not the
case, the tunnel will not come up.
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 103
2. Click Create New.
3. Configure the following settings:
Field
Value
Name
VPN traffic to Local
Incoming Interface
port6
Outgoing Interface
port4
Source
REMOTE_SUBNET
Destination Address
LOCAL_SUBNET
Schedule
always
Service
ALL
Action
IPsec
VPN Tunnel
ToLocal
Allow traffic to be initiated from the remote site
Enabled
4. Click OK.
Moving a Firewall Policy
The new policy was created below the firewall policy for Internet traffic. You will need to move it up for
the VPN traffic to match it.
To move a firewall policy
1. In the Remote-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Expand the list of firewall policies from port6 to port4:
3. Drag and drop the policy for VPN traffic to Local to the top:
Note: This is probably the first time you see the action IPsec for a firewall policy. In
previous exercises the available actions were Accept and Deny only. The action IPsec is
displayed in the GUI only when the policy-based VPN settings are not hidden.
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 104
Stop and Think
In the previous exercise, the VPN wizard added a static route for the VPN traffic. Why
don't you need to add a static route in this case?
Discussion
The VPN wizard creates the IPsec using route-based configuration, which always requires
additional routes (usually static routes) to route the traffic through the IPsec virtual
interface. This is usually not required in policy-based configuration. What policy-based
configuration requires is the VPN traffic matching a firewall policy with the action IPsec. As
traffic from 10.0.2.0/24 to 10.0.1.0/24 matches the existing default route, and so the IPsec
firewall policy from port6 to port4, no additional routes are needed.
DO NOT REPRINT
© FORTINET
LAB 7Basic IPsec VPN
FortiGate I Student Guide 105
3 Testing and Monitoring the VPN
You have finished the configuration in both FortiGates. The next step is to test the VPN.
Testing the VPN
You will test the VPN.
To test the VPN
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Monitor > IPsec Monitor. Observe that the VPN is currently down.
3. Right click the VPN and select Bring Up:
The Status of the VPN will show the green up arrow, indicating that the tunnel is up.
Stop and Think
Do I always have to manually bring the tunnel after creating?
Discussion
No. With the current configuration, the tunnel will stay down until either you manually bring
it up or there is traffic that should be routed through the tunnel. As you are not generating
traffic between 10.0.1.0/24 and 10.0.2.0/24 yet, the tunnel was still down. If you had
generated the required traffic while the tunnel was down, it would have gone up
automatically.
4. Open a command prompt window in the Local-Windows VM and execute the following command
to ping Remote-Windows:
ping 10.0.2.10
The ping should work.
5. Go back to the Local-FortiGate GUI and go to Monitor > IPsec Monitor.
6. Click Refresh to refresh the screen. You will observer that counters for Incoming Data and
Outgoing Data have increased. This indicates that the traffic between 10.0.1.10 is 10.0.2.10 is
successfully being encrypted and routed through the tunnel:
Congratulations. You have successfully configured an IPsec VPN between two FortiGate devices.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 106
LAB 8Explicit Web Proxy
In this lab, you will learn how to configure FortiGate to be an explicit web proxy.
Objectives
Configure FortiGate to act as an explicit web proxy.
Use a PAC file to configure explicit proxy settings in web browsers.
Authenticate and monitor explicit web proxy users.
Time to Complete
Estimated: 30 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to the Local-FortiGate.
To restore the FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > Explicit-Proxy and select local-
explicit-proxy.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 107
1 Configuring the Explicit Web Proxy
During this exercise you will configure the FortiGate to be an explicit web proxy. You will also
configure the FortiGate to authenticate explicit web proxy users and allow Internet access to only one
user.
After that, you will manually configure Firefox with the proxy IP address and port.
Un-hiding the Explicit Web Proxy Setting
Explicit web proxy settings are hidden from the GUI by default. You will un-hide them.
To un-hide the explicit web proxy setting
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to System > Feature Select.
3. Under Security Features, enable Explicit Proxy.
4. Click Apply.
Enabling Explicit Web Proxy
You will enable explicit web proxy on the network setting.
To enable explicit web proxy
1. In the Local-FortiGate GUI, go to Network > Explicit Proxy.
2. Enable Explicit Web Proxy.
3. For HTTPS port, select Use HTTP Port.
4. Click Apply.
Enabling Explicit Web Proxy on an Interface
You will specify which internal interface the explicit web proxy will listen on.
To enable explicit web proxy on an interface
1. In the Local-FortiGate GUI, go to Network > Interfaces
2. Edit the interface port3.
3. Enable the option Enable Explicit Web Proxy
4. Click OK.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 108
Creating an Explicit Proxy Policy
You will create the policy to allow explicit proxy traffic to the Internet. Only the user student will be
allowed to browse the Internet through the proxy.
To create an explicit proxy policy
1. In the Local-FortiGate GUI, go to Policy & Objects > Explicit Proxy Policy.
2. Click Create New.
3. Configure these settings:
Field
Value
Explicit Proxy Type
Web
Enabled On
port3
Outgoing Interface
port1
Source Address
LOCAL_SUBNET
Destination Address
all
Action
AUTHENTICATE
4. Click Create New to add an authentication rule:
5. Configure the following settings:
Field
Value
Users/Groups
student
Schedule
always
6. Click OK.
7. Click OK.
Configuring Firefox for Explicit Web Proxy
You have configured the Local-FortiGate as an explicit web proxy. Now you will configure Firefox to
use it.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 109
To configure Firefox for explicit web proxy
1. On the Local-Windows VM, open Firefox.
2. Click the Open Menu icon on the top right corner:
3. Select Options:
4. Go to the Advanced > Network tab.
5. Click Settings:
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 110
6. Select Manual proxy configuration and enter:
Field
Value
HTTP Proxy
10.0.1.254
Port
8080
7. Enable the option Use this proxy server for all protocols.
8. Add the subnet 10.0.1.0/24 (separated by a comma) to the No Proxy for list. This list contains the
names, IP addresses and subnets of web sites that will be exempted from using the proxy:
9. Click OK.
10. Close Firefox and open it again.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 111
Testing the Explicit Web Proxy Configuration
You will test the explicit web proxy configuration.
To test the explicit web proxy configuration
1. From Local-Windows VM, open Firefox and browse to any HTTP web site, such as:
http://www.pearsonvue.com/fortinet/
http://cve.mitre.org
http://www.eicar.org
2. FortiGate will ask for authentication. Use these credentials:
Field
Value
User Name
student
Password
fortinet
After that, you should have Internet access through the explicit web proxy.
Listing the Active Explicit Web Proxy Users
You will execute a CLI command to display the list of active explicit web proxy users.
To list the active explicit web proxy users
1. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved session
(connect over SSH).
2. Type the following CLI command to check the list of active web proxy users:
# diagnose wad user list
3. You can also check this list from the GUI, by going to Monitor > Firewall User Monitor.
Listing the Active Explicit Web Proxy Sessions
For each explicit web proxy connection to a web site, two TCP connections are usually created: one
from the client to the proxy, and another one from the proxy to the server.
You will run some debug commands to list the sessions established between the client and the
proxy; then the sessions established between the proxy and the servers.
To list the active explicit web proxy sessions between the client and the proxy
1. In the Local-Windows VM, open a few tabs in Firefox and generate some HTTP traffic, such
as:
http://www.pearsonvue.com/fortinet/
http://cve.mitre.org
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 112
http://www.eicar.org
2. From the Local-FortiGate CLI, type these CLI commands while browsing some HTTP sites:
diagnose sys session filter clear
diagnose sys session filter dport 8080
diagnose sys session list
You can also use the grep command to display only the source and destination IP addresses and
ports for each session:
diagnose sys session list | grep hook=pre
Why is the source IP address of all those sessions 10.0.1.10?
Why is the destination IP address of all those sessions 10.0.1.254?
Why don’t we see any public IP address listed in those sessions?
To list the active explicit web proxy sessions between the proxy and the servers
1. In the Local-Windows VM, open a few tabs in Firefox and generate some HTTP traffic, such as:
http://www.pearsonvue.com/fortinet/
http://cve.mitre.org
http://www.eicar.org
2. From the Local-FortiGate CLI, type these CLI commands while browsing some HTTP sites:
diagnose sys session filter clear
diagnose sys session filter dport 80
diagnose sys session list | grep hook=out
Why is the source IP address of all these sessions 10.200.1.1?
Why don’t we see the IP address of Windows server (10.0.1.10)?
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 113
2 Using a PAC File
During this exercise, you will configure a proxy auto-config (PAC) file. You will also configure the
browser to get the PAC file from the FortiGate and use it.
Configuring FortiGate to Provide the PAC File
You will configure FortiGate to host a PAC file and make it available for browsers to download it.
To configure FortiGate to provide the PAC file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Network > Explicit Proxy.
3. Enable the option Proxy auto-config (PAC).
4. Click the pencil icon to edit the PAC file:
5. Click Browse.
6. Select the file proxy.pac in the folder Resources\FortiGate-I\Explicit-Proxy.
7. Click Import
8. Click Apply.
9. Click Apply.
Checking the PAC File
You will open the PAC file from the Local-FortiGate GUI to review it.
To check the PAC file
1. In the FortiGate GUI, go to Network > Explicit Proxy.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 114
2. Click the pencil icon to look at the imported PAC file:
3. Click Cancel to close the PAC file.
Configuring Firefox to Download the PAC File
You will configure Firefox with the URL where the PAC file is hosted. Firefox will connect to the
specified URL to download and installed the PAC file.
To configure Firefox to download the PAC file
1. From the Local-Windows VM open Firefox.
2. Click the Open Menu icon on the top right corner:
3. Select Options.
4. Select the Advanced > Network tab
5. Click Settings.
6. Select the option Automatic proxy configuration URL then type:
http://10.0.1.254:8080/proxy.pac
Note: The second line in the PAC file specifies that the browser will not use a proxy to
reach the servers in the subnet 10.0.0.0/8. The next line configures the browser to use
the FortiGate proxy for any other subnet or URL.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 115
7. Click OK.
8. Close Firefox and open it again.
Testing the PAC file
You will generate some HTTP traffic from the Local-Windows VM to test the PAC file configuration.
To test the PAC file
1. In the Local-Windows VM, open a few tabs in Firefox and generate some HTTP traffic, such as:
http://www.pearsonvue.com/fortinet/
http://cve.mitre.org
http://www.eicar.org
If FortiGate asks you to authenticate, use the student account used previously (password
fortinet). The traffic will go through the FortiGate proxy.
2. You will connect to a web site in the subnet 10.0.0.0/8. The browser will not use the proxy and
will send the HTTP request directly to the server. Try to connect this server:
http://10.200.1.254
It's not working. There's something missing in the FortiGate configuration. Do you know what it
is?
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 116
Allowing Traffic that Does Not Require Proxy
The PAC file instructs the browser to not use the proxy for reaching the servers in the subnet
10.0.0.0/8. So, this is traffic that requires a regular firewall policy to be allowed and there is none. You
will create the missing firewall policy. Before that, you will create an address object for the subnet
10.0.0.0/8. You will use this object as the destination address for the firewall policy.
To create an address object
1. From the Local-FortiGate GUI, go to Policy & Objects > Addresses.
2. Click Create New and select Address.
3. Configure the following settings:
Field
Value
Category
Address
Name
10_SUBNET
Type
IP/Netmask
Subnet / IP Range
10.0.0.0/8
Interface
any
4. Click OK.
To allow traffic that does not require proxy
1. From the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Click Create New.
3. Configure the following settings:
Field
Value
Name
10 Subnet
Incoming Interface
port3
Outgoing Interface
port1
Source
LOCAL_SUBNET
Destination Address
10_SUBNET
Schedule
always
Service
ALL
Action
ACCEPT
NAT
Enabled
4. Click OK.
Testing the Traffic that Does not Require Proxy
You will test the firewall policy that allows traffic from Local-Windows VM that does not require
proxy.
DO NOT REPRINT
© FORTINET
LAB 8Explicit Web Proxy
FortiGate I Student Guide 117
To test the traffic that does not require proxy
1. From Local-Windows VM, open a Firefox window.
2. Access http://10.200.1.254 one more time. It will work now.
Disabling the Explicit Web Proxy in Firefox
To finish the lab exercise, you will disable the proxy in Firefox.
To disable the explicit web proxy in Firefox
1. From Local-Windows VM, open Firefox.
2. Click the Open Menu icon on the top right corner:
3. Click Options.
4. Select Advanced > Network.
5. Click Settings.
6. Select No proxy.
7. Click OK.
8. Close Firefox and open it again.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 118
LAB 9Antivirus
In this lab, you will configure, use, and monitor both proxy-based and flow-based antivirus scanning on
Local-FortiGate.
Objectives
Configure proxy-based and flow-based antivirus scanning.
Understand FortiGate antivirus scanning behavior.
Scan multiple protocols.
Read and understand antivirus logs.
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to the FortiGate.
To restore the FortiGate configuration file
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 119
4. Browse to Desktop > Resources > FortiGate-I > Antivirus and select local-
antivirus.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 120
1 Proxy-based Antivirus Scanning
In proxy-based scan, each protocol's proxy buffers the entire file (or waits for oversize limit) and scan
it. The client must wait for the scan to finish.
In this exercise, you will configure proxy-based antivirus scanning, including associated security
features (such as proxy options and deep-inspection) and apply it to the firewall policy. You will
observe the behavior antivirus scanning when deep-inspection is disabled or enabled. Finally, you will
view the logs and summary information for the antivirus activity.
Configuring Proxy-based Antivirus settings
The configuration file you uploaded at the beginning of this lab already has proxy-based antivirus
settings pre-configured for you. In this procedure, you will verify the settings, and enable the proxy-
based antivirus profile on your firewall policy.
To review Proxy-based Antivirus Profile
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Dashboard > System Information widget.
You will notice that Inspection Mode is set to Proxy-based.
3. Go to Security Profiles > AntiVirus and select the default antivirus profile.
4. Verify that the Detect Viruses is set to Block and HTTP scanning is enabled under Inspected
Protocols.
This profile defines the behavior for virus scanning on the traffic that matches policies using that
profile.
Enabling the Antivirus Profile on a Firewall Policy
Now that your antivirus profile is configured, you must enable antivirus profile on your firewall policy.
When antivirus profile is enabled on a firewall policy, it can scan for viruses and can generate logs
(based on configured log settings).
To enable Antivirus Profile on a Firewall Policy
1. In the Local-FortiGate GUI, go to Policy& Objects > IPv4 Policy.
2. Right-click on the Seq.# column for AV_Scan firewall policy.
3. Click Edit.
4. Under Security Profiles, enable AntiVirus and select default from the associated drop-down
list.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 121
Note: When selecting an antivirus profile, Proxy Options is automatically enabled. You
cannot disable Proxy Options, but can select any pre-configured proxy options profile
from the associated drop-down list.
5. Leave all other settings at their defaults and click OK to save the changes.
6. Optionally, if you would like to see the default proxy options profile selected in the firewall policy,
go to Security Profiles > Proxy Options.
This profile determines how FortiGate’s proxies pick up protocols. For example, The HTTP
listening port is set to port 80.
Testing the Antivirus Configuration
In this procedure, you will download the EICAR file to your Local-Windows VM. The EICAR test file is
an industry-standard virus used to test antivirus detection with an undamaging test file. The file
contains the following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
To test the antivirus configuration
1. In the Local-Windows VM, launch a web browser and access the following web site:
http://eicar.org
2. On the EICAR web page, click DOWNLOAD ANTI MALWARE TESTFILE (located in the top
right-hand corner of the page) and then click the Download link that appears on the left.
3. Download the any of the EICAR sample files from the section Download area using the
standard protocol http.
FortiGate should block the download attempt, and insert a replacement message similar to the
following:
FortiGate shows the HTTP virus message when it blocks or quarantines infected files.
4. In the message that is displayed, click the link to view information about the detected virus on
the Fortinet Virus Encyclopedia.
Viewing the Antivirus Logs
The purpose of logs is to help you monitor your network traffic, locate problems, establish
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 122
baselines, and make adjustments to network security, if necessary.
To view the antivirus logs
1. In the Local-FortiGate GUI, go to Log & Report > Forward Traffic.
2. Locate the antivirus log message and double click on it.
The Details tab shows forward traffic log information along with the action taken.
3. Click Security tab to view security log information which provides information more specific to
security event such as file name, Virus/Botnet and reference to name a few.
4. You can also view antivirus security logs under Log & Report > AntiVirus.
Note: The AntiVirus logs section will not display if there are no AV logs. FortiGate will
show it after creating logs. If this menu item does not display, log out from the
FortiGate GUI and log in again to refresh it.
5. Go to the Dashboard.
6. Add the Advanced Threat Protection Statistics widget to view the summary statistics of the
antivirus activity.
The Advanced Threat Protection Statistics widget provides statistics about the number of files
submitted and the results of those scans.
Enabling SSL Inspection on a Firewall Policy
So far you have tested the un-encrypted traffic for antivirus scanning. In order for the FortiGate to
inspect the encrypted traffic, deep inspection must be enabled on the firewall policy. By enabling this
feature, FortiGate will filter on traffic that is using the SSL encrypted protocol and is very similar to
man-in-the-middle (MITM) attack.
To test antivirus scanning without SSL Inspection enabled on firewall policy
1. In the Local-Windows VM, launch a web browser and access the following web site:
http://eicar.org
2. On the EICAR web page, click DOWNLOAD ANTI MALWARE TESTFILE and then click the
Download link that appears on the left.
3. This time, download the EICAR sample file from the Download area using the secure, SSL
enabled protocol https section.
Your download should succeed. FortiGate should not block the file, because we have not
enabled full SSL inspection.
To review SSL inspection profile
1. In the Local-FortiGate GUI, go to Security Profiles > SSL/SSH Inspection.
2. Select the deep-inspection profile from the dropdown on the right-hand side.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 123
3. Review and verify the following:
Inspection Method is set to Full SSL Inspection.
Protocol Port Mappings have HTTPS enabled and set to port 443.
To enable SSL inspection profile on a firewall policy and test it
1. In the Local-FortiGate GUI, go to Policy& Objects > IPv4 Policy.
2. Right-click on Seq.# column for AV_Scan firewall policy.
3. Click Edit.
4. Under Security Profiles, enable SSL/SSH Inspection and select deep-inspection from the
associated drop-down list.
5. Leave all other settings at their defaults and click OK to save the changes.
6. Return to the EICAR web page and attempt to download the eicar.com file from the Download
area using the secure, SSL enabled protocol https section.
Note: If the FortiGate self-signed full inspection certificate is not installed on the browser,
end users will see a certificate warning. In this environment, FortiGate self-signed SSL
inspection certificate is installed on the browser.
7. This FortiGate should block the download and replace it with a message. If it doesn't, you may
need to clear your cache. In Firefox, go to History > Clear Recent History > Everything.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 124
2 Flow-based Antivirus Scanning
Flow-based scanning has two modes:
Quick scan uses a compact antivirus database and performs faster scanning because it
doesn’t cache the file in memory.
Full scan uses the full antivirus database. It caches the file locally, but transmits it
simultaneously to end client. Everything is transmitted, except last packet. The last packet is
delayed and whole file is sent to AV engine for scanning.
In this exercise, you will change the FortiGate inspection mode to flow-based, which will convert
supported proxy-based profiles to flow-based and will remove any proxy-specific settings. You will test
the flow-based scanning using FTP protocol.
Switching FortiGate Inspection Mode
On the FortiGate, proxy-based inspection mode is enabled by default. You will be switching the
inspection mode from proxy-based to flow-based.
To switch FortiGate Inspection Mode
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Dashboard > System Information widget.
3. Click [Change] in the Inspection Mode column to change from Proxy-based to Flow-based.
4. Select Flow-based, accept the warning message, and click OK to save the changes.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 125
Note: Switching from one inspection mode to another will result in the conversion of
profiles and removal or addition of security features, based on the selected mode.
Reviewing the Flow-based Antivirus Profile
Now you've changed the inspection mode to flow-based, you will view the antivirus profile to see the
changes.
To review flow-based antivirus profile
1. In the Local-FortiGate GUI, go to Security Profiles > AntiVirus.
2. Review the default antivirus profile.
You will notice the default antivirus profile has switched from proxy-based profile to a full flow-
based profile. You will also see that Proxy Options have been removed from under Security
Profiles.
Testing the Flow-based Antivirus Profile
You will be now test the flow-based antivirus profile.
To test the antivirus configuration
1. From the Local-Windows VM, locate and open the FileZilla FTP client software.
2. Connect to 10.200.1.254. Leave the username and password blank to use anonymous FTP.
3. On the Remote side, click the pub folder.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 126
4. Right-click the eicar.com file and select Download.
The client should display an error message that the server aborted the connection.
Note: With flow-based virus scanning, data from the file has already been sent to the
client, so no immediate block message/page may appear.
Viewing the Antivirus Logs
Now you will check and confirm the logs for the testing you just performed.
To view the antivirus logs
1. In the Local-FortiGate GUI, go to Log & Report > Forward Traffic.
2. Locate the antivirus logs message. Double click the log entry to select it.
DO NOT REPRINT
© FORTINET
LAB 9Antivirus
FortiGate I Student Guide 127
The Details tab shows forward traffic log information along with the action taken.
3. Click the Security tab to view security log information. This includes information more specific to
the security event such as file name, Virus/Botnet, and reference, to name a few.
4. You can also view antivirus security logs under Log & Report > AntiVirus.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 128
LAB 10Web Filtering
In this lab, you will configure one of the most used security profiles on FortiGate: web filter. This
includes configuring a FortiGuard category-based filter, applying the web filter profile on a firewall
policy, testing your configuration, and basic troubleshooting.
You will also apply overrides to FortiGuard website categories and perform overrides to the web
filtering profile. The web filtering overrides allow you to execute different actions, rather than the
configured actions on the web filter security profile.
Objectives
Configure web filtering on a FortiGate device.
Apply the FortiGuard category-based option for web filtering.
Troubleshoot the web filter.
Read and interpret web filter log entries.
Configure web rating overrides.
Configure web profile overrides.
Time to Complete
Estimated: 25 minutes
Prerequisites
Before beginning this lab, you must clear your web browser history/cache and restore a configuration
file to the Local-FortiGate.
To clear the web browser history
1. From the Local-Windows VM, open the browser and click the menu icon in the upper-right corner.
2. Go to History > Clear Recent History and select Everything as the time range to clear.
3. Click Clear Now.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 129
To restore the FortiGate configuration file
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. Select to restore from Local PC and click Upload.
4. Browse to Desktop > Resources > FortiGate-I > Web-Filtering and select local-web-
filtering.conf.
5. Click OK.
6. Click OK to reboot.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 130
1 FortiGuard Web Filtering
In order to configure FortiGate for web filtering based on FortiGuard categories, you must ensure
FortiGate has a valid FortiGuard security subscription license. The license provides the web filtering
capabilities necessary to protect against inappropriate websites.
You must then configure a category-based web filter security profile on FortiGate and apply the
security profile on a firewall policy to inspect the HTTP traffic.
Finally you can test different actions taken by the FortiGate according to the website rating.
Reviewing the FortiGate settings
You will review the inspection mode and the license status according to the uploaded settings. You will
also list the FortiGuard distribution servers (FDS) that your FortiGate will use to send the web filtering
requests.
To review the restored settings on FortiGate
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Dashboard, and from the License Information widget, confirm that the FortiGuard Web
Filtering service is licensed and active.
A green check mark should be displayed.
3. Open PuTTY from the Local-Windows VM, and connect to the LOCAL-FORTIGATE saved
session (connect over SSH).
4. Log in as admin and type the following command to check the status of the web filtering
service:
get webfilter status
The get webfilter status and diagnose debug rating commands show the list of
FortiGuard FDS that your FortiGate uses to send web filtering requests. In normal operations,
FortiGate only sends the rating requests to the server on the top of the list. Each server is
probed for round trip time (RTT) every two minutes.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 131
Stop and Think
Why does only one IP address appear from my network in the server list?
Discussion
Your lab environment uses a FortiManager at 10.0.1.241, which has been configured
as a local FDS server. It contains a local copy of the FDS web rating database.
FortiGate sends the rating requests to FortiManager instead of the public FDS servers.
For this reason, the output of the above command lists only the FortiManager IP
address.
Configuring a FortiGuard Category-based Web Filter
You will observe the web filtering profile by default and configure the FortiGuard category-based filter.
To configure the web-filter security profile
1. In the Local-FortiGate GUI, go to Security Profiles > Web Filter.
2. From the upper-right drop-down list, ensure default is selected as your web filter profile:
3. Enable FortiGuard category based filter:
4. Review the preassigned actions for each category.
Category
Action
Local Categories
Allow
Potentially Liable
Block
Adult/Mature Content
Block: Other Adult Material and Pornography
Monitor : All other sub-categories
Bandwidth Consuming
Block: Streaming Media and Download
Warning: All other sub-categories
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 132
Security Risk
Block
General Interest - Personal
Monitor
General Interest - Business
Monitor
Unrated
Allow
Expand General Interest - Business to view the sub-categories:
5. Right-click Search Engines and Portals and select Allow:
6. Click Apply.
Applying the Web Filter Profile on a Firewall Policy
Now that you have configured the web filter profile, you must enable this security profile on a firewall
policy in order to start inspecting web traffic.
You will also enable the logs to store and analyze the security events generated by the web traffic.
To apply a security profile on a firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy and edit policy named
Internet_Access.
2. Under the Security Profiles section, enable Web Filter and select default.
Note that this action enables the Proxy Options profile.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 133
3. Under Logging Options, enable Log Allowed Traffic and select Security Events to enable the
UTM log:
4. Keep all other default settings and click OK.
Testing the Web Filter
For the purposes of this lab, you will review the website ratings and test the web filter security profile
you configured for each category.
To review the FortiGuard web filtering categories
1. In the Local-Windows VM, open a browser and go to http://www.fortiguard.com/webfilter.
2. Use the URL/IP Rating & Info tool and search for the following URL:
http://www.youtube.com
This is one of the websites you will use later to test your web filter.
As you can see, YouTube is listed in the Steaming Media and Download category.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 134
3. Use the URL/IP Rating & Info tool again to find the rated category for the following websites:
http://www.skype.com/
http://www.ask.com/
http://www.bing.com/
You will test your web filter using these websites as well.
This table shows the category assigned to each URL as well as the action FortiGate will take
based on your web filter security profile:
Website
Category
Action
http://www.youtube.com/
Streaming Media category
Block
http://www.skype.com/
Internet Telephony
Warning
http://www.bing.com/
Search Engines and Portals
Allow
To test the web filter
1. In the Local-Windows VM, open a new browser tab and go to http://www.youtube.com.
A block page displays according to the predefined action for this website category.
2. Open a new browser tab and go to http://www.skype.com/.
A warning page displays according to the predefined action for this website category.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 135
3. Click Proceed to accept the warning and access the website.
4. Open a new browser tab and go to http://www.bing.com/.
This website appears, as it belongs to the Search Engines and Portals category which is set to
Allow.
Creating a Web Rating Override
In the procedure you will override the category for www.bing.com.
To create a web rating override
1. In the Local-FortiGate GUI, go to Security Profiles > Web Rating Overrides.
2. Click Create New and configure the following settings:
Field
Value
URL
www.bing.com
Category
Security Risk
Sub-Category
Malicious Websites
3. Click OK.
Testing the Web Rating Override
You will test the web rating override you created in the previous procedure. To confirm that the
FortiGate is taking the local override, you will enable the real time debug for the web filtering
process.
Real time debugs show what a process is doing in real time.
To troubleshoot the web filter
1. In the Local-Windows VM, open PuTTY and connect to the LOCAL-FORTIGATE saved
session (connect over SSH).
2. Log in as admin and type the following commands to enable the web filtering real time debug:
diagnose debug application urlfilter -1
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 136
diagnose debug enable
3. Open a new browser tab, and try again to access the website www.bing.com.
4. Go back to your PuTTY CLI session and observe the output. It should be similar to the one below:
The diagnostic output indicates the URL matches a local rating instead of a FortiGuard rating.
So, http://www.bing.com/ is blocked, because you have overridden its category rating!
5. Type the following commands to stop the real time debug:
diagnose debug application urlfilter 0
diagnose debug disable
msg="received a request /tmp/.wad_202_0_0.url.socket, addr_len=31:
d=www.bing.com:80, id=183, vfname='root', vfid=0, profile='default',
type=0, client=10.0.1.10, url_source=1, url="/"
Url matches local rating
action=10(ftgd-block) wf-act=3(BLOCK) user="N/A" src=10.0.1.10
sport=53863 dst=204.79.197.200 dport=80 service="http" cat=26
cat_desc="Malicious Websites" hostname="www.bing.com" url="/"
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 137
2 Web Filtering Authentication
In this exercise, you will configure and test the authenticate action for web filtering categories.
Setting Up the Authenticate Action
You will first override the category for www.bing.com to Proxy Avoidance. After that, you will set the
action for this FortiGuard category to Authenticate.
To override the category
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Security Profiles > Web Rating Overrides.
There is an entry for www.bing.com. The override category is set to Malicious Websites, which is
a Security Risk subcategory. Security Risk is set to Block by default.
3. Edit the rating override for www.bing.com and change the category and sub-category:
Field
Value
Category
Potentially Liable
Sub-Category
Proxy Avoidance
Note: The Potentially Liable category is set to Block, by default in your FortiGate.
4. Click OK.
To set up the authenticate action
1. In the Local-FortiGate GUI, go to Security Profiles > Web Filter.
2. Under FortiGuard categories, right-click Potentially Liable and select Authenticate.
3. The Edit Filter widget will appear. Use the following settings:
Field
Value
Warning Interval
5 minutes
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 138
Selected User Groups
Override_Permissions
4. Click OK.
5. Click Apply.
Note: For the purpose of this lab, the Override_Permissions is a predefined user group.
To review the user groups, go to User & Devices > User Groups.
Defining Users and Groups
You will define a user in order to test the authenticate action.
To create an user
1. Go to User & Devices > User Definition.
2. Click Create New.
3. Select Local User as the User Type.
4. Click Next and configure the following settings:
Field
Value
User Name
student
Password
fortinet
5. Click Next.
6. Click Next.
7. Enable User Group and select Override_Permissions from the drop-down list.
8. Click Create.
The student user is created.
Testing the Authenticate Action
In section, you will test access to a website with the authenticate action and then analyze the logs
made by the security events.
To test the web rating override
1. Open a new browser tab, and try to access http://www.bing.com.
A web page blocked message appears. Note that it is a different message from the one that
appeared before:
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 139
2. Click Proceed.
3. Enter the following credentials:
Field
Value
Username
student
Password
fortinet
This website now displays correctly.
To review the web filter logs for web rating overrides
1. Return to the Local-FortiGate GUI and go to Log & Report > Web Filter.
Note: The Web Filter logs section will not display if there are no web filtering logs.
FortiGate will show it after creating logs. If this menu item does not display, log out
from the FortiGate GUI and log in again to refresh it.
According the logs, http://www.bing.com was initially blocked, but after clicking Proceed and
authenticating, the logs show a different action: passthrough.
Remember, http://www.bing.com is rated by FortiGuard as belonging to the Search Engines
and Portals category, where the action, by default, is set to Allow.
But for this website, you changed the category to Potentially Liable.
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 140
3 Web Profile Overrides
After you have tested the web rating overrides, you will test web profile overrides.
The web profile overrides feature changes the rules applied to inspected traffic. It authorizes some
users, user groups, or predefined source IPs, to use a different web filter profile.
Configure Web Profile Overrides
In this procedure, you will allow users to override blocked categories. Those users must authenticate
in order to apply a different web filter profile.
To configure a Web Profile Override
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Security Profiles > Web Filter.
3. Enable Allow users to override blocked categories and enter the following options:
Field
Value
Group that can override
Override_Permissions
Profile can switch to
monitor-all
Switch applies to
IP
Switch duration
Predefined 0 Day(s) | 0 Hour(s) | 15 Minute(s)
4. Click Apply to save the changes.
Testing the Web Profile Override
Finally, you will test the global access for a blocked category and authenticate to apply a new web
filter profile. You will also review the web filter logs to verify how actions change once the new web
profile is applied.
To test the web profile override
1. Open a new browser tab, and try to access www.youtube.com.
A block page appears according to the action for this website category. However, this block
message is different from the one that appeared in exercise 1. It includes an override link at the
bottom:
DO NOT REPRINT
© FORTINET
LAB 10Web Filtering
FortiGate I Student Guide 141
2. Click Override.
A block override message appears:
3. Enter the following credentials and click Continue:
Field
Value
Username
student
Password
fortinet
FortiGate overrides the default profile and allows you to access the website.
To review the web filter logs for web profile overrides
1. From the Local-FortiGate GUI, go to Log & Report > Web Filter.
2. Compare the current passthrough entries with the older block logs.
3. Click Details at the upper-right corner. Notice the web profile used is different.
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 142
LAB 11Application Control
In this lab, you will configure and use the application control and cloud access security inspection
(CASI) to take appropriate action on an application. You will view logs and monitor from FortiView.
You will also use application control feature along with traffic shaping to limit the bandwidth of an
application.
Objectives
Configure application control.
Read and understand application control logs and applications from FortiView.
Configure and monitor traffic shaping for application control.
Configure CASI for granular control of applications.
Time to Complete
Estimated: 25 minutes
Prerequisites
Before beginning this lab, you must restore a configuration file to FortiGate.
To restore the FortiGate configuration file
1. From the Local-Windows VM, open a web browser and log in as admin to the Local-FortiGate
GUI at 10.0.1.254.
2. Go to Dashboard, and from the System Information widget click Restore.
3. From your local PC (Local-Windows VM), click Upload and go to Desktop > Resources >
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 143
FortiGate-I > Application-Control and select local-application-control.conf.
4. Click OK.
5. Click OK.
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 144
1 Creating an Application Control Profile
In this exercise, you will create an application control profile. The FortiGate matches the traffic in this
order:
1. application overrides
2. filter overrides
3. categories
You will also view the application control logs and applications from FortiView to confirm the
applications are logged correctly.
Configuring Application Overrides
The configuration file for this exercise already has the application control categories set to monitor
(except Unknown Applications). This allows the applications to pass, but also records a log message.
In this exercise, you will configure application overrides. The application overrides will take
precedence over application categories.
To configure application overrides
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Security Profiles > Application Control.
3. Review the default application control sensor.
Verify that you are selecting the application sensor named default.
4. On the Edit Application Sensor page, click Add Signatures under Application Overrides to
add an application signature.
5. In the Add Signature page, click Add Filter.
6. Click Name and type dailymotion in the search field.
7. From populated list, click the Dailymotion application to select it.
8. Click Dailymotion:
9. Click Use Selected Signature at the bottom.
Your configuration should look like the following:
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 145
The action for this should show as Block.
10. Click Apply at the bottom of the Edit Application Sensor page.
Verifying that an Application Control Profile is Applied
The configuration file for this exercise already has the default application control profile added to
firewall policy and you will be verifying that.
To verify that an application control profile is applied to a firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click the Seq.# column of the App_control firewall policy.
3. Click Edit.
4. Under the Security Profiles section, verify Application Control is turned on and the default
application control sensor is selected.
5. Click Cancel.
Testing the Application Control Profile
Now your configuration is complete. You will test the application control profile by going to the
application that you blocked in the application overrides configuration.
To test application control profile
1. In the Local-Windows VM, open a new web browser window and go to the following URL:
http://dailymotion.com.
You should observe that you cannot connect to this site. It times out.
2. In the Local-FortiGate GUI, go to the Security Profiles > Application Control.
3. Edit the default application sensor again.
4. Enable Replacement Messages for HTTP-based Applications at the bottom of the profile.
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 146
5. Click Apply.
6. Go to the http://dailymotion.com website again.
Now FortiGate should display a block message.
Viewing Logs
Now you will view the logs for the test you just performed.
To view logs
1. In the Local-FortiGate GUI, go to Log & Report > Application Control.
Note: The Application Control logs section will not display if there are no application
control logs. FortiGate will show it after creating logs. If this menu item does not
display, log out from the FortiGate GUI and log in again to refresh it.
2. Search and view the log information for Dailymotion to confirm that this action was correctly
logged.
3. Double click on the log to view more details.
It will show you application sensor name, name, category, and the action taken by FortiGate.
4. Go to Log & Report > Forward Traffic and search and view the log information for Dailymotion.
You can see more details about this log such as NATed IP, Bytes sent/received, action, and
application.
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 147
2 Limiting Traffic Using Traffic Shapers
You can limit the bandwidth consumption of an application category or specific application by
configuring a traffic shaping policy. You must ensure that the matching criteria aligns with the firewall
policy or policies to which you want to apply shaping
In this exercise, you will configure and apply traffic shaping to an application to limit its bandwidth
consumption.
Modifying Application Overrides Action
You will be modifying the application override for Dailymotion application to change the action from
Block to Monitor. Then you will apply traffic shaping in the next procedure.
To modify Application Overrides action
1. From the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Security Profiles > Application Control.
3. Verify that you are selecting the application sensor named default.
4. Under Application Overrides, right-click Dailymotion and click Monitor.
This will change the action for Dailymotion from Block to Monitor.
5. Click Apply.
Note: In order for the traffic shaping, the signature must be allowed in application
control profile.
Configuring Traffic Shaper Policy
The traffic shaper is preconfigured for you. You will be configuring a traffic shaper policy using the pre-
configured traffic shaper to limit the bandwidth use for Dailymotion.
To configure Traffic Shaper Policy
1. In the Local-FortiGate GUI, go to Policy & Objects > Traffic Shapers.
2. For the DAILYMOTION_SHAPER traffic shaper look closely at the Max Bandwidth column.
You will notice that maximum amount of allowed bandwidth is very low.
3. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
4. Configure the following.
Field
Value
Source
all
Destination
all
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 148
Service
ALL
Application
Dailymotion
(Tip: Type the name in the search box on right hand
side and click on Dailymotion to add.)
Outgoing Interface
port1
(Tip: Remember this is FortiGate egress interface.)
Reverse Shaper
Enable and apply DAILYMOTION_SHAPER
Enable this policy:
Enable
Your configuration should look like this:
5. Click OK.
Note: The Shared Shaper option is to limit the bandwidth from ingress-to-egress,
useful for limiting uploading bandwidth. Reverse Shaper is to limit bandwidth from
egress-to-ingress, useful for limiting downloading/streaming bandwidth.
Note: You must ensure that the matching criteria align with the firewall policy or
policies to which you want to apply shaping.
Testing Traffic Shaping
Now that your configuration is complete, you test traffic shaping by playing a video on Dailymotion.
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 149
To test traffic shaping
1. In the Local-Windows VM, open a web browser and go to the following URL:
http://dailymotion.com
2. Try to play any video.
You will notice access to this site is slow and video is taking long time to buffer and play.
Note: If your classroom is using a virtual lab, the underlying hardware is shared, and
so the amount of available bandwidth for Internet access varies by usage by other
simultaneous use. The traffic shaper is set to a very low value in order to make sure
that the difference in behavior is easily noticeable. In real networks, this setting
would be greater.
3. In the Local-FortiGate GUI, go to Policy & Objects > Traffic Shapers.
4. Review the DAILYMOTION_SHAPER for Bandwidth Utilization and Dropped Bytes columns.
You might need to refresh the FortiGate GUI to view the statistics on Traffic Shapers.
You will notice the bandwidth utilization by the Dailymotion application and FortiGate is dropping
the packets which are in excess from the configured bandwidth in the traffic shaper.
Note: Monitor statistics are current as of the time that you requested the GUI page, so
make sure to view them while a video is downloading. Also refresh the page few times
to get the results.
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 150
3 Configuring CASI
The CASI profile allows fine-grained control over cloud applications such as YouTube, Dropbox, and
Netflix to name a few. As most of the cloud based applications uses SSL encryption, you must enable
deep inspection in the firewall policy.
In this exercise, you will allow granular control over cloud based applications.
Configuring a CASI Profile
You will be configuring a CASI profile.
To configure a CASI profile
1. On the Local-Windows VM, open a browser and log in as admin to the Local-FortiGate GUI at
10.0.1.254.
2. Go to Security Profiles > Cloud Access Security Inspection.
3. Review the default CASI profile on which all the applications action is set to monitor.
4. Under General.Interest, change the action to Block for Bing Search.
5. Click Apply at the bottom.
Optional configuration: If you have account on www.facebook.com or www.linkedin.com, follow
the steps below:
Under Social.Media click on + sign besides Facebook and change the action to Block for
Login.
Under Social.Media click on + sign besides LinkedIn and change the action to Block for
Login.
Click Apply at the bottom.
Enabling CASI and Verifying Deep Inspection is Enabled
on the Firewall Policy
As most of the cloud applications are HTTPS, so remember that for those, you will also need an
SSL/SSH inspection profile in the firewall policy.
Note: For CASI to work at all, man in the middle (MITM) must be correctly set up, without certificate
warnings. Firefox uses its own certificate store, whereas Chrome and IE use Microsoft’s.
In this environment, the FortiGate CA certificate for SSL inspection is preloaded into the Firefox
browser.
To enable CASI and verify deep inspection is enabled on firewall policy
1. In the Local-FortiGate GUI, go to Policy & Objects > IPv4 Policy.
2. Right click the Seq.# column of the App_control firewall policy and click Edit.
3. Under Security Profiles, enable CASI and select default from the associated drop-down list.
4. In the Security Profiles, verify that SSL/SSH Inspection is enabled and deep-inspection is
selected.
DO NOT REPRINT
© FORTINET
LAB 11Application Control
FortiGate I Student Guide 151
5. Click OK.
Testing CASI
Now that your configuration is complete, you test CASI by going to the application that you configured.
To test CASI
1. In the Local-Windows VM, open a new web browser window and go to the following URL:
http://www.bing.com.
2. Try to search anything such as Fortinet, Youtube, or Facebook.
The page will be blocked.
Optional testing: If you have account on www.facebook.com or www.linkedin.com, you can open
a new web browser window and go to https://www.facebook.com or https://www.linkedin.com.
Try logging into your account. You will notice you are not able to login.
3. In the Local-FortiGate GUI, go to Log & Reports > Application Control.
Note: The Application Control logs section will not display if there are no application
control logs. FortiGate will show it after creating logs. If this menu item does not
display, log out from the FortiGate GUI and log in again to refresh it.
4. Search the logs for Bing, Facebook, or LinkedIn.
You will see similar logs as one below.
In this example, look at the Application User and Application Details columns.
For LinkedIn, login to LinkedIn is blocked, but access to the website is allowed in the log below.
For Bing search, it shows the search phrase.
DO NOT REPRINT
© FORTINET
Appendix A: Additional Resources
FortiGate I Student Guide 152
Appendix A: Additional
Resources
Training Services
http://www.fortinet.com/training
Technical Documentation
http://docs.fortinet.com
Knowledge Base
http://kb.fortinet.com
Forums
https://forum.fortinet.com/
Customer Service & Support
https://support.fortinet.com
FortiGuard Threat Research & Response
http://www.fortiguard.com
DO NOT REPRINT
© FORTINET
Appendix B: Presentation Slides
FortiGate I Student Guide 153
Appendix B: Presentation Slides
DO NOT REPRINT
© FORTINET
In this lesson, you will learn about FortiGate administration basics. This includes how – and where –
FortiGate fits into your existing network architecture.
Introduction to Fortinet
FortiGate I Student Guide
154
DO NOT REPRINT
© FORTINET
After completing this lesson, you should have the practical skills and knowledge of FortiGate
administration fundamentals required to do the following:
• log in to your FortiGate
• create administrator accounts
• configure basic network settings, and
• use your FortiGate’s GUI or CLI.
You’ll also be able to set up FortiGate to act as your local network’s DNS or DHCP server.
Lab exercises can help you to test and reinforce your skills.
Introduction to Fortinet
FortiGate I Student Guide
155
DO NOT REPRINT
© FORTINET
To start, let’s talk about how FortiGate is different from traditional firewalls or other vendors that you
may have worked with.
From the beginning, FortiGate has been synonymous with unified threat management (UTM): a
traditional firewall with specialized security devices, such as VPN gateways and IPS sensors bundled
into one device. FortiGate UTM proved popular with small-to-medium businesses (SMB) and
enterprises or campuses that have many branch offices. However, for managed security service
providers (MSSPs) and data centers looking for the best performance, Fortinet’s FortiASIC chips and
next-generation firewall features have been popular instead. How can FortiGate serve all of these
types of networks?
Introduction to Fortinet
FortiGate I Student Guide
156
DO NOT REPRINT
© FORTINET
In this architecture diagram, you can see how FortiGate platforms add strength, without compromising
flexibility. Like separate, dedicated security devices, FortiGates are still internally modular. Plus:
Devices add duplication. Sometimes, dedication doesn’t mean efficiency. If it’s overloaded, can
one device borrow free RAM from nine others? Do you want to configure policies, logging, and
routing on 10 separate devices? Does 10 times the duplication bring you 10 times the benefit, or is
it a hassle? For smaller to midsize businesses or enterprise branch offices, UTM is often a superior
solution compared to separate dedicated appliances.
FortiGate hardware isn’t just off-the-shelf. It’s carrier-grade. Underneath, most FortiGate
models have one or more specialized circuits called ASICs that are engineered by Fortinet. For
example, a CP or NP chip handles cryptography and packet forwarding more efficiently. Compared
to a single-purpose device with only a CPU, FortiGate can have dramatically better performance.
This is especially critical for data centers and carriers where throughput is business critical.
(The exception? Virtualization platforms – VMware, Citrix Xen, Microsoft, or Oracle Virtual Box –
have general-purpose vCPUs. But, virtualization might be worthwhile due to other benefits, such as
distributed computing and cloud-based security.)
FortiGate is flexible. If all you need is fast firewalling and antivirus, FortiGate won’t require you to
waste CPU, RAM, and electricity on other features. In each firewall policy, UTM and next-
generation firewall modules can be enabled or disabled. Also, you won’t pay more to add VPN seat
licenses later. What requires a subscription? Only ongoing FortiGuard subscription services.
FortiGate cooperates. A preference for open standards instead of proprietary protocols means
less vendor lock-in and more choice for system integrators. And, as your network grows, FortiGate
can leverage other Fortinet products such as FortiSandbox and FortiWeb to distribute processing
for deeper security and optimal performance – a total security fabric approach.
Introduction to Fortinet
FortiGate I Student Guide
157
DO NOT REPRINT
© FORTINET
If you deploy FortiGates as virtualized appliances – not physical – that platform still will be familiar.
FortiGate virtual machines (VMs) have the same features as a physical FortiGate,except for
hardware acceleration.Why? First, hypervisors’ hardware abstraction layer software is made by
VMware, Xen, and other hypervisor manufacturers, not by Fortinet. Those other manufacturers don’t
make Fortinet’s proprietary FortiASIC chips. But there is another reason, too. The purpose of
hypervisors’ generic virtual CPUs and other virtual chips is to abstract the hardware details. That way,
all VM guest OSs can run on a common platform, no matter the different hardware where the
hypervisors are installed. Unlike vCPUs or vGPUs that use generic, non-optimal RAM and vCPUs for
abstraction, FortiASIC chips are (by definition) specialized optimized circuits. Therefore, a virtualized
ASIC chip would not have the same performance benefits as a physical ASIC chip.
If performance on equivalent hardware is less, you may wonder, why would anyone use a FortiGate
VM? In large scale networks that change rapidly and may have many tenants, equivalent processing
power and distribution may be achievable by using larger amounts of cheaper, general purpose
hardware. Also, trading some performance for other benefits may be worth it. The owner can benefit
strongly from faster network and appliance deployment and teardown.
FortiGate VMX and the FortiGate Connector for Cisco ACI extend this vision. They are a specialized
version of FortiOS and an API that allow you to orchestrate rapid network changes through standards,
such as OpenStack for software-defined networking (SDN). So:
FortiGate VM is deployed as a guest VM on the hypervisor.
FortiGate VMX is deployed inside a hypervisor’s vNetworks, between guest VMs.
FortiGate Connector for Cisco ACI allows ACI to deploy physical or virtual FortiGate VMs for
North/South traffic.
Introduction to Fortinet
FortiGate I Student Guide
158
DO NOT REPRINT
© FORTINET
FortiGuard subscription services give your FortiGate access to 24 x 7 security updates powered by
Fortinet’s researchers. Your FortiGate uses FortiGuard in two ways:
by periodically requesting packages that contain a new engine and many signatures, and
by querying the FDN on an individual URL or host name.
Queries are real-time – that is, FortiGate asks the FDN every time it scans for spam or filtered
websites. Also, queries use UDP for transport – they are connectionless and the protocol is not
designed for fault tolerance, but for speed. So, they require that your FortiGate have a reliable Internet
connection.
Downloaded packages like antivirus and IPS, however, aren’t that frequent. They use TCP for reliable
transport. Their associated FortiGate features continue to function even if FortiGate does not have
reliable Internet connectivity. Keep in mind, though, that you should still avoid interruptions. If your
FortiGate must try repeatedly to download updates, it can’t detect new threats during that time.
Introduction to Fortinet
FortiGate I Student Guide
159
DO NOT REPRINT
© FORTINET
So now you’ve seen a simplified overview of the software architecture. What about the network
architecture? Where does FortiGate fit in?
When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or
transparent.
In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical
network interfaces have an IP address.
In transparent mode, FortiGate forwards packets at Layer 2, like a switch. So, except for the
management interface, its interfaces have no IP address.
Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however.
We’ll show these later.
Introduction to Fortinet
FortiGate I Student Guide
160
DO NOT REPRINT
© FORTINET
What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should
you choose?
NAT mode is the most common choice. In NAT mode, the destination address is the FortiGate’s
address. Typically, FortiGate will rewrite the destination address, and/or port number and source
address in the IP network layer, into the server’s private network address before forwarding the packet
– in other words, it will apply NAT and port forwarding. Depending on your presentation and
application layer protocols, it might also:
Terminate SSL or TLS sessions so back-end servers don’t need to decrypt
Modify the addresses in the application layer headers, such as the Host and X-Forwarded-For
addresses in the HTTP header
So, NAT mode works well for edge or gateway security, where you divide your private IPv4 network
from an external network such as guest Wi-Fi or the Internet.
In transparent mode, the destination address is the server’s address – not a FortiGate’s interface. As
a result, it usually doesn’t need to rewrite encapsulated layers – with the exception of TCP SYN-
related analysis. Only the MAC address in the frame is rewritten. So, in complex IP environments
such as MSSP or mobile phone carriers, this simplifies deployment. Only the management interface
needs an IP address. But because network-facing interfaces don’t have an IP address, you must verify
that your topology doesn’t have any loops at Layer 2 – Ethernet.
Introduction to Fortinet
FortiGate I Student Guide
161
DO NOT REPRINT
© FORTINET
NAT mode is the default operation mode. What are the other default settings? Once you’ve removed
your FortiGate from its box, what do you do next?
Let’s take a look at how you set up a FortiGate.
Attach your computer’s network cable to port1 or the internal switch ports (depending on your model)
to begin setup. In most of the low-end models, there is a DHCP server on that interface, so, if your
computer’s network settings have DHCP enabled, your computer should automatically get an IP, and
you can begin setup quickly.
To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99.
Remember: the default login is publicly available knowledge. Never leave the default password blank!
Your network is only as secure as your FortiGate’s admin account. Before you connect your FortiGate
to your overall network, you should set a complex password. You should also restrict it so that
FortiGate allows administrative connections only from your local console or management subnet.
Introduction to Fortinet
FortiGate I Student Guide
162
DO NOT REPRINT
© FORTINET
What happens if you forget the password for your admin account, or a hostile employee changes it?
This recovery method is available on all FortiGate devices and even some non-FortiGate devices like
FortiMail. It’s a temporary account, only available through the local console port, and only after a hard
reboot – disrupting power by unplugging or switching off the power, then restoring it. FortiGate must
be physically shut off, then turned back on – not simply rebooted through the CLI. That’s the difference
between a hard boot and a soft boot.
Even then, the maintainer login will only be available for login for about 30 seconds after boot
completes.
If you can’t ensure physical security, or have compliance requirements, you can disable the
maintainer account. Use caution: if you disable maintainer and then lose your admin password,
you cannot recover access to your FortiGate.
Introduction to Fortinet
FortiGate I Student Guide
163
DO NOT REPRINT
© FORTINET
All FortiGate models have a console port. This provides CLI access without a network.
On older models, it’s a serial port. A standard null modem cable can be used to connect the serial
port to your computer’s serial port.
On newer models, it’s an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your
computer’s serial port to the RJ-45 port on the FortiGate.
In some newer models, the console port is a USB2 port. In that case, you’ll plug in the USB cable,
then open FortiExplorer.
Each device ships with its appropriate cable.
Serial ports on computers are becoming less common. If your computer has one, you can purchase a
USB-to-serial adapter.
Introduction to Fortinet
FortiGate I Student Guide
164
DO NOT REPRINT
© FORTINET
Most features are available in both the GUI and CLI, but there are a few exceptions. For example,
reports can’t be viewed in the CLI. Also, the rarely used advanced settings and diagnostic commands
for power users are usually not available in the GUI.
What if you don’t want to use the GUI?
There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script
its configuration, you may want to use the CLI in addition to the GUI. You can access the CLI through
either the JavaScript widget in the GUI named CLI Console, or through a terminal emulator such as
Tera Term (http://ttssh2.sourceforge.jp/index.html.en) or PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can
connect through the network – SSH or telnet – or the local console port.
SNMP and some other administrative protocols are also supported, but they are read-only. They can’t
be used for basic setup. Let’s focus on setup now.
Introduction to Fortinet
FortiGate I Student Guide
165
DO NOT REPRINT
© FORTINET
Whichever method you use, start by logging in as admin. Begin by creating accounts for other
administrators.
It’s not shown here, but instead of creating accounts on FortiGate itself, you could configure FortiGate
to query a remote authentication server. You could also require personal certificates authenticated
through your PKI certificate authority, instead of passwords.
Choose strong, complex passwords. For example, you could use multiple interleaved words with
varying capitalization, and randomly insert numbers and punctuation. Do not use short passwords, or
passwords that contain names, dates, or words that exist in any dictionary. These will be very weak
against brute force attacks. To audit the strength of your passwords, use tools such as L0phtcrack
(http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers
brute forcing your firewall is especially high if you connect the management port to the Internet.
In order to restrict access to specific features, you can assign permissions.
Introduction to Fortinet
FortiGate I Student Guide
166
DO NOT REPRINT
© FORTINET
When assigning permissions in an admin profile, you can specify read-and-write, read-only, or no
access to each area.
By default, there is a special profile named super_admin, which is used by the account named admin.
It cannot be changed. It provides full access to everything, making the admin account similar to a root
superuser account.
The prof_admin is another default profile. It also provides full access, but unlike super_admin, it only
applies to its virtual domain – not the global settings of the FortiGate. Also, its permissions can be
changed.
You aren’t required to use a default profile. You could, for example, create a profile named
auditor_access with read-only permissions. Restricting a person’s permissions to those necessary for
his or her job is a good best practice, because even if that account is compromised, the compromise
is not complete. To do this, create administrative admin profiles, then select the appropriate profile
when configuring an account.
Introduction to Fortinet
FortiGate I Student Guide
167
DO NOT REPRINT
© FORTINET
What are the effects of admin profiles?
It’s actually more than just read or write access.
Depending on the type of admin profile that you assign, each administrator may not be able to access
the entire FortiGate. For example, you could configure an account that can only view log messages.
Administrators may not be able to access global settings outside their assigned virtual domain either.
Virtual domains (VDOMs) are a way of subdividing the resources and configurations on a single
FortiGate. VDOMs are explained in more detail in the FortiGate II: Virtual Domains lesson.
Administrators with a smaller scope of permissions cannot create, or even view, accounts with more
permissions. So, for example, an administrator using the prof_admin or a custom profile cannot see –
or reset the password of – accounts that use the super_admin profile.
Introduction to Fortinet
FortiGate I Student Guide
168
DO NOT REPRINT
© FORTINET
To further secure access to your network security, use two-factor authentication.
Two-factor authentication just means that instead of only using one method to verify your identity –
typically a password or personal certificate – you verify identity in two ways. In the example shown
here, two-factor authentication would mean a password plus an RSA randomly generated number
from a FortiToken that is synchronized with FortiGate.
Introduction to Fortinet
FortiGate I Student Guide
169
DO NOT REPRINT
© FORTINET
FortiToken is not the only option if you want to use two-factor authentication. Remember, two-factor
only means that you use two methods to verify a person’s identity.
Alternatively, instead of using FortiToken, FortiGate can send an email to the administrator’s address,
or send a text message as a form of authentication.
To be able to do this, you must first configure FortiGate with the settings of a mail server (so that it can