FortiGate multi-threat security systems administration, Content Inspection and VPNs Student Training Guide Course 201. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
FortiGate multi-threat security systems administration, Content Inspection and VPNs Student Training Guide Course 201. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
FortiGate multi-threat security systems administration, Content Inspection and VPNs Student Training Guide Course 201. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
FortiGate multi-threat security systems administration, Content Inspection and VPNs Student Training Guide Course 201. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
The document discusses administration, content inspection, VPNs and other security features of Fortinet products.
The main topics covered include introduction to Fortinet UTM, logging and monitoring, firewall policies, local user authentication, SSL VPN, IPSec VPN, antivirus, email filtering, web filtering and application control.
Application control allows selectively blocking specific features inside network applications, like blocking the editing feature of Wikipedia while allowing read access.
FortiGate Multi-Threat Security Systems
Administration, Content Inspection and VPNs
Student Training Guide Course 201
FOR REVIEW ONLY
FortiGate Multi-Threat Security Systems Administration, Content Inspection and VPNs Student Training Guide Course 201
Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard- Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
FOR REVIEW ONLY Course 201 Administration, Content Inspection and VPNs
FOR REVIEW ONLY Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D ii
MODULE 9: Web Filtering .................................................................................................................................................. 105 MODULE 10: Application Control ....................................................................................................................................... 120 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 1: Introduction to Fortinet Unified Threat Management 2 Module Objectives By the end of this module, participants will be able to: Identify the major features of the FortiGate Unified Threat Management appliance Modify administrative access restrictions on an interface Create and manage administrative users Create and manage administrator access profiles Backup and restore configuration files Create a DHCP server on a FortiGate device interface Upgrade or downgrade a FortiGate units firmware 1 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 3 Traditional Network Security Solutions Firewall Antivirus Antispam WAN Optimization Web Filtering Application Control Intrusion Prevention VPN Many single purpose systems needed to cope with a variety of threats 4 FortiGate Integrated Network Security Platform Firewall Antivirus Antispam WAN Optimization Web Filtering Application Control Intrusion Prevention VPN and more One device provides a comprehensive security and networking solution FortiGate Appliance 2 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 5 Unit Design Hardware Purpose-driven hardware FortiOS Specialized operating system Firewall AV Web Filter IPS Security and network-level services FortiGuard Subscription Services Automated update service 6 FortiGate Unit Capabilities Firewall Antivirus Email filtering Web filtering Intrusion prevention Application control Data leak prevention WAN optimization Secure VPN Wireless Dynamic routing Endpoint compliance Virtual domains Traffic shaping High availability Logging and reporting 1 1 1 1 Authentication 3 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 7 Fortinet Products Network Security FortiGate appliances High-end, mid-range and desktop models Network Access Wireless: FortiWiFi, FortiAP Switching: FortiSwitch End-point and mobility: FortiClient User Identity: FortiAuthenticator, FortiToken Infrastructure Security Application and Content Delivery: FortiADC DDos Mitigation: FortiDDos Advanced Threat Protection Voice and Video: FortiVoice, FortiCamera, FortiRecorder Application Security FortiMail, FortiWeb, FortiDB FortiCache Management FortiManager, FortiAnalyzer, FortiCloud 8 FortiGuard Subscription Services Global Update service for AV/IPS (update.fortiguard.com) Global Live service for FortiGuard WF/AS (service.fortiguard.net) FortiGate unit will prefer servers nearby Calculates server distance based on time zones Major server centers in North America as well as Asia and Europe Nearest servers are preferred but will adjust based on server load 4 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 9 port1 or internal interface will have an IP of 192.168.1.99 port1 or internal interface will have a DHCP server set up and enabled (on devices that support DHCP Servers) Default login will always be: user: admin password: (blank) Usernames and passwords are BOTH case sensitive Device Factory Defaults 10 Device Administration Web GUI CLI 5 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 11 Admin Profiles 12 Profile Permissions System Configuration Network Configuration Firewall Configuration UTM Configuration VPN Configuration etc. Read Read-Write Admin Profile 6 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 13 Administrators Full access within a single virtual domain Full access super_admin profile Custom access custom profile prof_admin profile 14 Administrator Trusted Hosts 7 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 15 Two Factor Authentication Username and Password (one factor) FortiToken (two factor) + 16 Administrator Two Factor Authentication 8 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 17 Device Configuration Device configuration settings can be saved to an external file Optional encryption The file can be restored to rollback device to a previous configuration 18 Per VDOM Configuration File 9 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 19 Interface IPs Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: Manual IP, DHCP assigned, PPPoE 20 There must be at least one default gateway If an interface is DHCP or PPPoE, then a gateway can be added to the routing dynamically Static Gateway 10 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 21 DHCP Server Setup 22 DHCP Server IP Reservation IP address reserved and always assigned to the same DHCP host Select an IP address or choose an existing DHCP lease to add to the reserved list Identify the IP address reservation as either DHCP over Ethernet or DHCP over IPSec MAC address of the DHCP host is used to look up the IP address in the IP reservation table Found in the Advanced settings of the DHCP server, on the interface 11 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 23 DHCP - Activity 24 FortiGate as a DNS Server Resolve DNS lookups from an internal network Methods to set up DNS for each interface: Forward-only: DNS requests sent to the DNS servers configured for the unit Non-recursive: DNS requests resolved using a FortiGate DNS database and unresolved DNS requests are dropped Recursive: DNS requests will be resolved using a FortiGate DNS database and any unresolved DNS requests will be relayed to DNS servers configured for the unit One DNS database can be shared by all the FortiGate interfaces If VDOMs are enabled, a DNS database needs be created in each VDOM 12 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 25 DNS Forwarding FortiGate units can forward (or not) DNS requests sent to its interfaces Behavior on each interface is configured separately Allows direct control of the DNS GUI allows setting to Forward only CLI allows Forward, Recursive and Non-recursive behavior 26 DNS Database Configuration DNS zones need to be added when configuring the DNS database Each zone has its own domain name Zone format defined by RFC 1034 and1035 DNS entries are added to each zone An entry includes a hostname and the IP address it resolves to Each entry also specifies the type of DNS entry IPv4 address (A) or an IPv6 address (AAAA) name server (NS) canonical name (CNAME) mail exchange (MX) name IPv4 (PTR) or IPv6 (PTR) 13 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 27 Firmware Upgrade Steps Step 1: Backup and store old configuration (Full config backup from CLI) Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (upgrade path, bug information) Step 5: Double check everything Step 6: Upgrade 28 Firmware Downgrade Steps Step 1: Locate pre-upgrade configuration file Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (is a downgrade possible?) Step 5: Double check everything Step 6: Downgrade (all settings except those needed for access are lost) Step 7: Restore pre-upgrade configuration 14 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 29 Maintainer Access Available on all FortiGate devices and some non-FortiGate devices Only available through the console port Highly secure (requires physical access) Only open after a HARD boot About 30 seconds (varies by model, by approximately 1 minute) Highly secure (soft boot does not activate user) User: maintainer Password: bcpb<serial number> All letters in serial number MUST BE uppercase Can be disabled in the CLI if physical security is a risk config sys global set admin-maintainer disable end 30 Console Port Depending on the FortiGate model, console port access is provided in the following ways: Serial port (older models) Standard null model cable will work for console port access RJ-45 port RJ-45-serial cable is required for access USB 2 port Requires FortiExplorer to connect Each devices ships with proper console cables 15 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 31 Labs Lab 1: Initial Setup and Configuration Ex 1: Configuring Network Interfaces Ex 2: Exploring the Command Line Interface Ex 3: Restoring Configuration Files Ex 4: Performing Configuration Backups (OPTIONAL) Lab 2: Administrative Access Ex 1: Profiles and Administrators Ex 2: Restricting Administrator Access 32 Classroom Lab Topology 16 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018 FortiGate Multi-Threat Security Systems I Module 2: Logging and Monitoring 2 Module Objectives By the end of this module participants will be able to: Define the storage location for log information Enable logging for different FortiGate unit events View and search logs Monitor log activity Understand RAW log output Customize widgets on the dashboard Describe when (and where) a FortiGate device creates log events based on the configuration 17 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 3 Logging and Monitoring Logging and monitoring are key elements in maintaining devices on the network Monitor network and Internet traffic Track down and pinpoint problems Establish baselines 4 Logging Severity Levels Administrators define the severity level at which the FortiGate unit records log information All messages at, or above, the minimum severity level will be logged Emergency = System unstable Alert = Immediate action required Critical = Functionality affected Error = Error exists that can affect functionality Warning = Functionality could be affected Notification = Info about normal events Information = General system information (default) Debug = Debug log messages 18 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 5 Log Storage Locations Syslog SNMP Local logging Remote logging Memory and Hard drive 6 Log Types and Subtypes Traffic Log Forward (Traffic passed/blocked by Firewall policies) Local (Traffic aimed directly at, or created by FortiGate device) Invalid (Packets considered invalid/malformed and dropped) Event Log System (System related events) Router, VPN, User, WanOpt & Cache, Wifi Security Log Antivirus, Web Filter, Intrusion Protection, etc. Not created by default 19 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 7 Log Structure and Behavior Logging is divided into 3 sections: Traffic Log, Event Log, Security Log Traffic logs relate to packets to and through the device Event logs relate to any admin and system activity events on the device Security logs contain log messages related to profiles acting on traffic passing through the device Security events consolidated into Forward Traffic log Less CPU intensive this way Exceptions: DLP, Intrusion Scanning (Security Log only) Additional log information can be obtained in some security profiles via the CLI (Antivirus, Web Filter, Email, Application Control) extended-utm-log [disable (default) | enabled] New log options show up (CLI only, varies depending on profile type) Security event logs show up in Security Logs with more details 8 Traffic Log Log Generation Policy Log Setting AV,Web Filter, Email or App Control extended-utm-log Behavior No Log Disabled N/A No Forward Traffic or Security Logs No Log Enabled Disabled No Forward Traffic or Security Logs No Log Enabled Enabled No Forward Traffic or Security Logs Log Security Events Disabled N/A No Forward Traffic or Security Logs. Log Security Events Enabled Disabled Security log events appear in Forward Traffic Log. Forward Traffic Log generated for packets causing a security event. Log Security Events Enabled Enabled Security log events appear in Security Log. Forward Traffic Log generated for packets causing a security event. Log all Sessions Disabled N/A Forward Traffic Log generated for every single packet. Log all Sessions Enabled Disabled Security log events appear in Forward Traffic Log Forward Traffic log generated for every single packet Log all Sessions Enabled Enabled Security log events appear in Security Logs. Forward Traffic Log generated for every single packet. 20 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 9 Viewing Log Messages 10 Log Viewer Filtering Use Filter Settings to customize the display of log messages to show specific information in log messages Reduce the number of log entries that are displayed Easily locate specific information 21 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 11 date=2013-09-10 time=13:00:30 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(10.0.1.10) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(10.0.1.10)" Log Severity Level Log severity level indicated in the level field of the log message information = normal event 12 Viewing Log Messages (Raw) Fields in each log message are arranged into two groups: Log header (common to all log messages) date=2013-09-10 time=11:17:56 logid=0000000009 type=traffic subtype=forward level=notice vd=root Log body (varies per log entry type) srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100 22 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 13 Log header date=2013-09-10 time=12:55:06 log_id=32001 type=utm subtype=dlp eventtype=dlp level=warning vd=root filteridx=0 Log body policyid=12345 identidx=67890 sessionid=312 epoch=0 eventid=0 user="user" group="group" srcip=1.1.1.1 srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120 dstintf="port1" service=mm1 . Viewing Log Messages (Raw) type and subtype fields = log file that message is recorded in 14 Log body srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100 hostname="host" url="www.abcd.com" msg="Data Leak Prevention Testing Message" action=block severity=0 infection="carrier end point filter" Viewing Log Messages (Raw) policyid = id number of firewall policy matching the session 23 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 15 Log body srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0 dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0 status=deny user="test user" group="test group" policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0 service=other proto=0 appid=1 app="AIM" appcat="IM" applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name" shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name" shaperdroprcvdbyte=16843009 shaperperipname="perip name" shaperperipdropbyte=16843009 devtype="iPad" osname="linux" osversion="ver" unauthuser="user" unauthusersource="none" collectedemail="mail" mastersrcmac=02:02:02:02:02:02 srcmac=01:01:01:01:01:01 Viewing Log Messages (Raw) status = action taken by the FortiGate unit 16 Alert Email Send notification to email address upon detection of defined event Identify SMTP server name Configure at least one DNS server Up to three recipients per mail server 24 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 17 SNMP SNMP manager Managed device SNMP agent Fortinet MIB Traps received by agent sent to SNMP manager Configure FortiGate unit interface for SNMP access Compile and load Fortinet-supplied MIBs into SNMP manager Create SNMP communities to allow connection from FortiGate unit to SNMP manager 18 Event Logging 25 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 19 Event Log 20 Monitor 26 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 21 Monitor Monitor sub-menus found in CLI for all main function menus User-friendly display of monitored information View activity of a specific feature being monitored Various settings are found under config system global gui-antivirus gui-ap-profile gui-application-control gui-central-nat-table gui-certificates gui-client-reputation gui-dlp gui-dns-database gui-dynamic-profile-display gui-dynamic-routing gui-endpoint-control gui-explicit-proxy gui-ipsec-manual-key gui-implicit-policy gui-ips gui-icap gui-ipv6 gui-lines-per-page gui-load-balance gui-local-in-policy gui-multicast-policy gui-multiple-utm-profiles gui-object-tags gui-policy-interface-pairs-view gui-replacement-message-groups gui-spamfilter gui-sslvpn-personal-bookmarks gui-sslvpn-realms gui-utm-monitors gui-voip-profile gui-vpn gui-vulnerability-scan gui-wanopt-cache gui-webfilter gui-wireless-controller gui-wireless-opensecurity 22 Monitor Example: Security Profiles Monitor Includes all security features AV Monitor Recent and top virus activity Web Monitor Top blocked FortiGuard categories Application Monitor Most used applications Intrusion Monitor Recent attacks FortiGuard Quota Per user list of quota usage 27 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 23 Status Page Custom Widgets Many widgets can have their settings altered to display different information The same widget can be added multiple times to the same dashboard showing different information 24 Labs Lab 1: Status Monitor and Event Log Ex 1: Exploring the GUI Status Monitor Ex 2: Event Log and Logging Options (OPTIONAL) Lab 2: Remote Monitoring Ex 1: Remote Syslog and SNMP Monitoring 28 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring 01-50003-0201-20131018-D 25 Classroom Lab Topology 29 FOR REVIEW ONLY
FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 3: Firewall Policies 2 Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create firewall objects Create address based firewall policies Create device identity-based firewall policies Manage the ordering of different firewall policies Monitor traffic through policies Create central NAT rules Enable client reputation 30 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 3 Firewall Policies Incoming and outgoing interfaces Source and destination IP addresses Services Schedules Action = ACCEPT Authentication Threat Management Traffic Shaping Logging Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request Packet analyzed, content compared to policy, action performed 4 Types of Policies Address Policy match based on IPs User Identity Policy match based on authentication information (user) Device Identity Policy match based on OS/Type 31 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 5 Firewall Actions Traffic matches a policy Accept Deny Policy Action Traffic does not match a Policy Deny 6 Firewall Policy Elements - Address Subtype 32 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 7 Firewall Policy Elements User Identity Subtype 8 Firewall Policy Elements - Device Identity Subtype OS identity device based on packet behavior and details MAC address (Forti-Device only), DHCP VCI, TCP SYN Fingerprint, HTTP UserAgent Identification rules updated with FortiGuard definitions 33 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 9 Device Identification (Bring your own Device) Device detection is dependent on it being enabled in the interface In the GUI, you will be prompted when you create a device identification policy Enable directly through the CLI config system interface edit "port1" set device-identification (enable|disable*) set device-user-identification (enable*|disable) end Per-VDOM settings on what to detect config system network-visibility Global setting of the device types FortiOS detects is hardcoded 10 Device Identification Manual Device Entry Devices can be manually identified in the config config user device edit me set mac-address set type type name set user user name end Once the device is created it can be added to a device group config user device-group 34 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 11 Device Identification Captive Portal Captive Portal options: Email collection (attach an email to the device) Currently, Authentication and Device identification are not compatible FortiClient download (force FortiClient install) Portal to identify OS through HTTP user agent 12 Device Identification Email Collection Email Collection Used in conjunction with device type Collected Emails Collects an email to be associated with the device Email are not verified, domain is checked for DNS resolution 35 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 13 Device Identification Email Portal config sys setting set email-portal-check-dns [enable|disable] 14 Device Identification Device List User & Devices > Device > Device diag user device list 36 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 15 Firewall Address Objects The FortiGate device compares the source and destination address in the packet to the policies on the device Default of ALL addresses available Addresses in policies configured with: Name for display in policy list IP address and mask FQDN if desired (DNS used to resolve) Use Country to create addresses based on geographical location Create address groups to simplify administration 16 Firewall Interfaces Outgoing Interface Incoming Interface Select Incoming Interface to identify the interface or zone on which packets are received Select an individual interface or ANY to match all interfaces as the source Select Outgoing Interface to identify the interface or zone to which packets are forwarded Select an individual interface or ANY to match all interfaces as the source 37 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 17 Firewall Service Objects Protocol and Port Packet Protocol and Port Firewall Policy = FortiGate unit uses Services to determine the types of communication accepted or denied Default of ALL services available Select a Service from predefined list on FortiGate unit or create a custom service Web Proxy Service also available if Incoming Interface is set to web-proxy Group Services and Web Proxy Service Group to simplify administration 18 Traffic Logging Deny Accept Log All Sessions Log Violation Traffic 38 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 19 Network Address Translation (Source NAT) 10.10.10.1 11.12.13.14 Firewall policy with NAT enabled wan1 IP address: 200.200.200.200 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 11.12.13.14 Destination Port: 80 Source IP address: 200.200.200.200 Source port: 30912 Destination IP address: 11.12.13.14 Destination Port: 80 internal wan1 200.200.200.200 20 NAT Dynamic IP Pool (Source Nat) Firewall policy with NAT + IP pool enabled wan1 IP pool: 200.200.200.2-200.200.200.10 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 11.12.13.14 Destination Port: 80 Source IP address: 200.200.200.? Source port: 30957 Destination IP address: 11.12.13.14 Destination Port: 80 10.10.10.1 internal wan1 11.12.13.14 200.200.200.200 39 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 21 Central NAT Table Disabled in the GUI (default) config system global set gui-central-nat-table enable end 22 Traffic Shaping HTTP FTP IM Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit Normalize traffic bursts by prioritizing certain flows over others 40 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 23 Source NAT IP Address and Port Session table identifies IP and port with NAT applied 24 Fixed Port (Source NAT) Firewall policy with NAT + IP pool enabled + fixed port (CLI only) wan1 IP pool: 200.200.200.201 Source IP address: 200.200.200.201 Source port: 1025 Destination IP address: 11.12.13.14 Destination Port: 80 Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 11.12.13.14 Destination Port: 80 10.10.10.1 internal 11.12.13.14 wan1 200.200.200.200 41 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 25 Firewall policy with destination address virtual IP + Static NAT wan1 IP address: 200.200.200.200 Source IP address: 11.12.13.14 Destination IP address: 200.200.200.222 Destination Port: 80 10.10.10.10 11.12.13.14 internal wan1 VIP translates destination 200.200.200.222 -> 10.10.10.10 Virtual IPs (Destination NAT) 26 Firewall policy with destination address virtual IP + Static NAT wan1 IP address: 200.200.200.200 Source IP address: 11.12.13.14 Destination IP address: 200.200.200.200 Destination Port: 80 10.10.10.10 11.12.13.14 internal wan1 VIP translates destination 200.200.200.200 -> 10.10.10.10 Virtual IPs (Destination NAT) Used to allow connections through a FortiGate using NAT firewall policies FortiGate unit can respond to ARP requests on a network for a server that is installed on another network Used for (1) Server Redundancy and Load Balancing; (2) IPSec VPN site-to-site with identical subnets at both sites; etc. VIP Group: A group of Virtual IPs for ease-of-use 42 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 27 Local-In Firewall Policies Policies designed for traffic that is localized to the FortiGate unit Central management Update announcement NetBIOS forward Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses Can create local-in firewall policies for IPv4 and IPv6 (CLI Only) 28 Threat Management 43 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 29 Threat Management Client Reputation Disabled in the GUI (default) config system global set gui-client-reputation enable end Hard drive required for Reputation Score (FortiAnalyzer, FortiManager or FortiCloud) 30 Proxy Options - File Size Firewall Policy Enable Security Profile Proxy Options Oversize File/Email Pass or Block Threshold + File size is checked against preset thresholds (configured in the CLI : config firewall profile- protocol-options) If larger than threshold (default 10 MB) and action set to block, then file is rejected If larger than threshold and action set to allow, uncompressed file must fit within memory buffer If not, by default no further scanning operations performed 44 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 31 Traffic Shapers Shared Traffic Shaper Per-IP Traffic Shaper Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth 32 Traffic Shapers Shared Traffic Shaper Per-IP Traffic Shaper Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Guaranteed Bandwidth Maximum Bandwidth Traffic shapers apply Guaranteed Bandwidth and Maximum Bandwidth values to addresses affected by policy Share values between all IP address affected by the policy Values applied to each IP address affected by the policy 45 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 33 DoS Policies DoS Policy Firewall Policy DoS policies identify network traffic that does not fit known or common patterns of behavior If determined to be an attack, action in DoS sensor is taken DoS policies applied before firewall policies If traffic passes DoS sensor, it continues to firewall policies 34 Endpoint Control ? Up to date ? Disallowed software installed ? 46 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 35 Firewall Object Usage Allows for faster changes to settings The Reference column allows administrators to determine where the object is being used Navigate directly to the appropriate edit page 36 Object Tagging Simplifies firewall policy object management Useful for administering multiple VDOMs Easier to find and access specific firewall policies within specific VDOMs Available for firewall policies, address objects, IPS predefined signatures and application entries/filters Objects can provide useful organizational information 47 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 37 Monitor View policy usage by active sessions, bytes or packets Policy > Monitor > Policy Monitor 38 Labs Lab 1: Firewall Policy Ex 1: Creating Firewall Objects and Rules Ex 2: Policy Action Ex 3: Configuring Virtual IP Access Ex 4: Configuring IP Pools (OPTIONAL) Lab 2: Traffic Log Ex 1: Enabling Traffic Logging Lab 3: Device Policies Ex 1: Enabling Device Identification 48 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Firewall Policies 01-50003-0201-20131018-D 39 Classroom Lab Topology 49 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 4 Local User Authentication 2 Module Objectives By the end of this module participants will be able to: Describe the authentication mechanisms available through the FortiGate device Create local users and user groups Monitor active users Check authentication log entries Configure user disclaimers Describe two-Factor authentication Create identity-based policies to enable local user authentication 50 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 3 Authentication ? A A A A A The identity of users and host computers must be established to ensure that only authorized parties can access the network The FortiGate unit provides network access control and applies authentication to users of firewall policies and VPN clients 4 Local User Authentication Local user authentication is based on usernames and passwords stored locally on the FortiGate unit An administrator creates local user accounts on the FortiGate device For each account, a user name and password is stored Two-factor authentication can be enabled on a per user basis 51 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 5 User Authentication via Remote Server The FortiGate unit must be configured to access the external servers used to authenticate the users Administrators can create an account for the user locally and specify the server to verify the password or Administrators can add the authentication server to a user group All users in that server become members of the group 6 User Authentication via Remote Server LDAP Directory Services TACACS+ RADIUS Remote Users Digital certificates 52 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 7 User Groups Firewall User Group Directory Service User Group Guest User Group Paris Visitors Active Directory User groups are assigned one of four group types: Firewall, Fortinet Single Sign on (FSSO), Guest and Radius Single Sign on (RSSO) Firewall user groups provide access to firewall policies that require authentication Directory Service user groups used to allow single sign on for Active Directory or Novell eDirectory users 8 ? Identity-Based Policies Policy Enable Identity Based Policy User/Group Services Schedules Logging Threat management Traffic Shaping Authentication Rule Identity-based policies are enabled to require firewall authentication Authentication rules identify the users and user groups that will be forced to authenticate Also defines other aspects of authentication, including services, schedules, UTM, logging and traffic shaping 53 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 9 Disclaimers Policy Enable Disclaimer Displays the Terms and Disclaimer Agreement page before the user authenticates User must accept the disclaimer to proceed with the authentication process Once authenticated, the user is directed to the original destination 10 Authentication Timeout Timeout values specify how long an authenticated connection can be idle before the user must authenticate again User Authentication Timeout controls the firewall authentication timer Default value is 5 minutes SSL VPN Idle Timeout controls the SSL VPN user authentication timer Default value 300 seconds (5 minutes) 54 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 11 Password Policy Minimum Length: 8 to 64 characters Must Contain: Uppercase letters Lowercase letters Numerical digits Non-alphanumeric characters Password Expiration: X days Apply to: Administrators IPSec Preshared Key Set a password policy to enforce higher standards for both the length and complexity of passwords Policies can be applied to administrator password and IPSec VPN preshared keys 12 Two-Factor Authentication A one-time password can be delivered to the user through various methods: FortiToken: Every 60 seconds, the token generates a 6-digit code based on a unique serial number, seed and GMT time Email: The one-time password is sent to users configured email address after successful password authentication SMS phone message: The one-time password sent through email to the users SMS provider. The email address pattern varies by provider. 55 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 13 Two-Factor Authentication 14 Policy Configuration 56 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 15 User Monitor Displays logged in users, groups, policy ID being used, time left before inactivity timeout, IP, the amount of traffic sent by user, and the authentication method Also used to terminate authentication sessions 16 Labs Lab 1: User Authentication Ex 1: Identity-based Firewall Policy 57 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Local User Authentication 01-50003-0201-20131018-D 17 Classroom Lab Topology 58 FOR REVIEW ONLY
FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 5: SSLVPN 2 Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Configure the SSL VPN operating modes Define user restrictions Setup SSL VPN portals Customize logins Configure firewall policies and authentication rules for SSL VPNs 59 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 3 Virtual Private Networks (VPN) Secure tunnel over an unsecured network Used when there is the need to transmit private data over a public network PC based, suitable for use when traveling 4 FortiGate VPN Typically used to secure web transactions HTTPS link created to securely transmit application data between client and server Client signs on through secure web page (SSL VPN portal) on the FortiGate device VPN SSL VPN Well suited for network- based legacy applications Secure tunnel created between two host devices IPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients IPSec VPN 60 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 5 SSL VPN Web-Only Mode 1. Connection of remote user to SSL VPN portal (HTTPS Web Site) 2. Tunnel created 3. User authentication 4. Portal Web page presented 5. Click bookmark to access resource 6 SSL VPN Tunnel Mode 1. Connection of remote user to SSL VPN Portal (HTTPS Web Site) 2. Tunnel created 3. Authenticate 4. Portal Web page presented 5. Access Resources 61 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 7 User Groups Web mode and tunnel mode both require a firewall policy for authentication Tunnel mode requires additional policies to allow internal network access Mode(s) user has access to is determined by authentication policy Determines the portal page users are presented 8 Authentication Username and Password (one factor) FortiToken (two factor) + 62 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 9 SSL VPN Server Certificate Certificate presented to client initiating SSL VPN session FortiGate device uses a self-signed certificate by default User certificates issued by trusted Certificate Authority to avoid web browser security warnings 10 Encryption Key Algorithm Level of encryption used for SSL VPN connections High, Default, Low The default setting is RC4 (128 bits) and higher If set to High, SSL VPN connections with clients that cannot meet this standard will fail 63 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 11 Web Portal Interface Web page displayed when client logs into SSL VPN Includes widgets to access functionality on the portal (such as bookmarks and connection tools) Software download option for tunnel mode Default SSL VPN web portal page is accessible on port 4443: https://<FortiGate IP address>:4443 12 Full-Access Web Portal Interface 64 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 13 Tunnel Mode Split-Tunneling Only traffic destined for the tunnel IP range network will be routed over the SSL VPN If access to another inside network is desired, the client will need to create a static route pointing to their own SSL VPN interface Associated firewall policies must exist 14 Client Integrity Checking SSL VPN gateway checks client system Detects client protection applications (for example, antivirus and personal firewall) Determines state of applications (active/inactive, current version number and signature updates) Examples include: Cisco Network Admission Control (NAC), MS Network Access Protection (NAP), Trusted Computing Groups (TCG) Trusted Network Connect 65 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 15 Client Host Checking Relies on external vendors to ensure client integrity (not implemented by all SSL VPN vendors) Requires administrators to determine appropriate version/signature versions and policy Easily outdated, limiting the protection provided Checks to see if required software is installed on the connecting PC, otherwise connection is refused CLI only config vpn ssl web portal edit (portal name) set host-check [av|av-fw|custom|fw] set host-check-interval [# seconds] end 16 SSL VPN Tunnel Mode Connection A new network connection called fortissl is created The connection obtains a virtual IP address This virtual adapter becomes the preferred default route if split tunneling is disabled The web portal page will display the status of the SSL VPN client ActiveX control The portal web page must remain open for the tunnel to function FortiGate needs to have route to added for Tunnel IP addresses 66 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 17 SSL VPN Client Port Forward Port Forward mode extends applications supported by Web Application Mode Application Types (some examples): PortForward: for generic port forward application Citrix: for Citrix server web interface access RDPNative: for Microsoft Windows native RDP client over port forward etc. 18 Custom Login Allows creation of additional login URLs Adds another layer of user separation May be necessary for a seamless migration from other platforms Example: https://x.x.x.x/Students:<port> https://x.x.x.x/Teachers:<port> 67 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 19 SSL-VPN Policy De-Authentication Firewall policy authentication session is associated with SSL VPN tunnel session Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session is ended by user Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a different user after the initial user terminates their SSL VPN tunnel session 20 SSL VPN Access Modes Web Mode No client software required (web browser only) Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS) Java applets for RDP, VNC, TELNET, SSH Web Mode No client software required (web browser only) Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS) Java applets for RDP, VNC, TELNET, SSH Tunnel Mode Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet) Requires admin/root privilege to install layer- 3 tunnel adaptor Port Forward Mode Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL Downloaded to client PC and installed without admin/root privileges Client App must point to Java applet 68 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 21 Configuration Step 1: Configure the Settings IP Pool, Certificate, Port, VPN > SSL > Config Step 2: Configure your Portals for user access Web or Tunnel mode access, bookmarks, VPN > SSL > Portal Custom URL(s) if nessecary Step 3: Decide Split Tunneling or not In Portal Config Step 4: Setup Firewall VPN policy for access 22 Configuration 69 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs SSL VPN 01-50003-0201-20131018-D 23 Labs Lab 1: SSL VPN Ex 1: Configuring SSL VPN for Web Access Ex 2: Configuring SSL VPN for Tunnel Mode 24 Classroom Lab Topology 70 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 6: IPSec VPN 2 Module Objectives By the end of this module participants will be able to: Define the architectural components of IPSec VPN Define the protocols used as part of an IPSec VPN Identify the phases of Internet Key Exchange (IKE) Identify the FortiGate unit IPSec VPN modes Deploy a site-to-site VPN Identify the differences between Interface and Policy mode VPNs Configure IPSec VPN on the FortiGate unit 71 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 3 IPSec VPN Private network Sender authenticated Data confidential Data has integrity 4 IPSec VPN IPSec is a set of standard protocols and services used to encrypt data so that it cannot be read or tampered with as it travels across a network Provides: Authentication of the sender Confidentiality of data Proof that data has not been tampered with 72 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 5 IPSec VPN IPSec VPN operates at the network layer (layer 3) Encryption occurs transparently to the upper layers Applications do not need to be designed to use IPSec IPSec VPN can protect upper layer protocols (such as TCP) but the complexity and overhead of the exchange is increased For example, IPSec cannot depend on TCP to manage reliability and fragmentation 6 Internet Key Exchange Internet Key Exchange (IKE) allows the parties involved in a transaction to set up their Security Associations Phase 1 authenticates the parties involved and sets up a secure channel to enable the key exchange Phase 2 negotiates the IPSec parameters to define an IPSec tunnel 73 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 7 Phase 1 IKE Phase 1 performs the following: Authenticates and protects the parties involved in the IPSec transaction Can use pre-exchanged keys or digital certificates Negotiates a matching SA policy between the computers to protect the exchange Performs a Diffie-Hellman exchange The keys derived from this exchange are used in Phase 2 Sets up a secure channel to negotiate Phase 2 parameters 8 Defining Phase 1 Parameters KB IDs: 11657 13574 74 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 9 Phase 2 IKE Phase 2 performs the following: Negotiates IPSec SA parameters Protected by existing IKE SA Renegotiates IPSec SAs regularly to ensure security Optionally, additional Diffie-Hellman exchange may be performed 10 Defining Phase 2 Parameters 75 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 11 Interface Mode Creates a virtual IPSec network interface that applies encryption or decryption as needed to any traffic that it carries Also known as Route-Based Create two firewall policies between the virtual IPSec interface and the interface that connects to the private network The firewall policy action is ACCEPT Needs static routes over VPN tunnels Required if dynamic routing, GRE over IPSec or altering of incoming subnet is needed 12 Policy Mode Easy to configure, single internal external firewall policy supports bi-directional traffic Also known as tunnel based Policy action is IPSec, Phase1 tunnel selected IPSec policies should be located first in your policy list Vulnerable to errors in quickmodes or policies Order of policies is very important 76 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 13 Policy Versus Interface Mode Policy Mode Less configuration involved Dependent on policy order for proper operation Less granular control then Interface Interface Mode Required for GRE over IPSec Required if manipulation of packet source IPs is necessary Required to have FortiGate unit participate in dynamic routing communication over the IPSec connection More control 14 Overlapping Subnets Site-to-site route-based VPN configurations sometimes experience a problem where private subnet addresses at each end of the connection are the same After a tunnel is established, hosts on each side can communicate with hosts on other side using the mapped IP addresses Use NAT with IP Pool Interface mode can NAT both the incoming and outgoing traffic Policy mode can only NAT outgoing traffic 77 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 15 IPSec Topologies (Site-to-Site) Headquarters Branch office Site-to-site 16 IPSec VPN Monitor Monitor activity on IPSec VPN tunnels Stop and start tunnels Display address, proxy IDs, timeout information Green arrow indicates that the negotiations were successful and tunnel is UP Red arrow means tunnel is DOWN or not in use 78 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 17 IPSec VPN Monitor 18 Configuration Step 1: Configure Phase 1 Choose interface to listen for connections Choose remote location Choose advanced options (DH Group, XAUTH, ..) Step 2: Configure Phase 2 Possibility for multiple Phase 2s on a single Phase 1 tunnel Step 3: Create Firewall VPN policy(s) May need more than 1 policy to allow all the access required 79 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 19 Configuration 20 Labs Lab 1: IPSec VPN Ex 1: Site to Site IPSec VPN 80 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs IPSec VPN 01-50003-0201-20131018-D 21 Classroom Lab Topology 81 FOR REVIEW ONLY
FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 7: Antivirus 2 Module Objectives By the end of this module participants will be able to: Identify conserve mode conditions and AV system behavior Define the virus scanning techniques used on the FortiGate unit Differentiate between file-based and flow-based virus scanning Configure virus scanning Define firewall policies using antivirus profiles Update FortiGuard Services Identify which protocols can be scanned Set up grayware and heuristic scanning Submit unknown virus samples to Fortinet 82 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 3 Conserve Mode What is conserve mode? System self protection measure when facing local resource exhaustion When entering conserve mode the FortiGate unit activates protection measures in order to recover memory space Once enough memory is recovered, the system leaves the conserve mode state and releases the protection measures Two types: regular and kernel Search conserve mode at: http://kb.fortinet.com KB Article IDs: FD33103, 11076, 10209 4 Conserve Mode Regular conserve mode is depletion of shared memory Used mainly by proxies (to store the buffered data) but also by buffers (logging, quarantining) Impact (configurable) Established sessions remain unchanged New sessions are not inspected Fail-open action applies to stream and proxy-based inspection 83 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 5 AV Fail-Open There are currently two conditions that can cause the FortiGate unit to operate in AV fail-open mode: The system is low on memory and has entered conserve mode The individual proxy pool is full (no free connections are available) With the first condition, low memory, the av-failopen setting will be applied The default for this setting is Pass 6 AV Fail-Open The system enters conserve mode when the amount of free shared memory is less than approximately 20% Goes back to non-conserve mode when this value increases to approximately 30% Log entry details actual amount of memory config system global set av-failopen idledrop drop idle connections off off one-shot one-shot pass pass 84 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 7 AV Fail-Open The second condition occurs when the individual proxy pool is full (default disable) The action will depend on the av-failopen-session settings If the av-failopen-session is enabled and the free connections in the proxy connection pool reaches zero Protocol reverts back to the av-failopen settings If the av-failopen-session is disabled and the limit is reached, all sessions will be blocked for the proxy 8 Antivirus Antivirus Detect and eliminate viruses, worms, Trojans and spyware in real- time Stop threats before they enter the network Scans HTTP and FTP traffic as well as incoming and outgoing SMTP, POP3 and IMAP email Internet Content Adaption Protocol (ICAP) support FortiGate unit acts as ICAP client to communicate with ICAP servers that the FortiGate unit can utilize for offloading AV scanning services First enable in CLI: conf sys global set gui-icap enable then configure under Security Profiles > ICAP 85 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 9 Antivirus Scanning Order File size .jpg File Name pattern Virus scan File type Grayware Heuristics 10 Proxy-Based Scanning Antivirus proxy buffers the file as it arrives Once transmission is complete, virus scanner examines the file Higher detection and accuracy rate Comfort Clients can be used to avoid timeouts 86 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 11 Flow-Based Scanning File is scanned on a packet-by-packet basis as it passes through the FortiGate unit Faster scanning, but lower accuracy rate Difficulty in catching virus variants Only available on certain models Non-proxy scanning 12 Virus Scanning Regular Extended Extreme Flow-based 87 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 13 Submitting Unknown Viruses Sometimes a virus may go undetected because it is not in the signature database To submit a virus go to: http://www.fortiguard.com/antivirus/virus_scanner.html 14 Known Virus Sometimes viruses will get through because the proper antivirus scan options are not enabled FortiGuard Subscription Service contains information on which database a virus is in 88 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 15 Heuristics Scanning Virus-like attribute + Virus-like attribute + Virus-like attribute > Heuristic threshold Suspicious FortiGate unit tests for virus-like behavior Virus-like attributes are totaled and if greater than a threshold, the file is marked as suspicious Use CLI command to block suspicious files Possibility of false positives 16 Antivirus Profiles 89 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 17 FortiGuard Sandbox Files detected by Heuristics as suspicious can be submitted to FortiGuard for Sandboxing Or submitted to the FortiSandbox Sandboxing a file is when it is executed and monitored within a protected environment to determine if it is a new kind of virus or just a software install Driver install modifies the registry and/or the system files Helps detect Zero day vulnerabilities and provide data for the FortiGuard AV analysts 18 Botnet Connections FortiGuard maintains a list of known Botnet IP addresses Anything attempting to connect to a known Botnet server will be blocked Botnet list periodically updated with FortiGuard updates Requires valid contract Can view database version in CLI diag autoupdate version 90 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 19 SSL Inspection Options 20 Logs 91 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Antivirus 01-50003-0201-20131018-D 21 Labs Lab 1: Antivirus Scanning Ex 1: Antivirus Testing 22 Classroom Lab Topology 92 FOR REVIEW ONLY
FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 8: Email Filtering 2 Module Objectives By the end of this module participants will be able to: Identify the email filtering methods used on the FortiGate device Configure banned word, IP address and email address filters Define firewall policies using email filter profiles Identify some inspection options available for each protocol (SMTP, POP3, IMAP) 93 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 3 Email Filtering Email filtering SPAM? FortiGate unit can detect and manage spam email 4 Spam Actions Tag Discard Subject: Free Stuff Subject: [SPAM] Free Stuff Tag to add a custom phrase/word to subject line or a MIME header and value to body of an email message for use in back end or client filtering Discard to immediately drop the SMTP connection if spam is detected 94 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 5 Email Filtering Methods The FortiGate unit uses a number of techniques to help detect spam Some use the FortiGuard Antispam service and require a subscription Others use DNS servers or filters created on the device Heuristic check Manually configured options 6 FortiGuard IP Address Check Connecting IP address is checked FortiGuard is a reputation database IP behavior is tracked More queries about an IPs activity to the FortiGuard network makes the reputation worse IPs have a score 1-9 1 is permanently black listed 9 is permanently white listed (Fortinet Server IPs only) Less than 3 is considered spam 95 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 7 FortiGuard URL and Email Address Check What language or character set is the email in? KB Article ID: FD32502 Visit our web site at www.acme.com to learn more about this great offer or send an email to deals@acme.com. 8 FortiGuard Email Checksum Check Our online pharmacy offers great prices on all your prescription medications. hash The FortiGate unit sends a hash of the email message to the FortiGuard Antispam Service FortiGuard Antispam Service compares the hash received to hashes of known spam messages 96 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 9 IP Address Black/White List (BWL) The FortiGate unit compares the IP address of the sender of an email message to the IP addresses specified in the email filter profile An administrator can add to or edit the IP addresses and configure the action to take Possible actions on a match Spam (use spam action) Clear (consider Not Spam) Reject (SMTP Only) 10 Email Address Black/White List (BWL) From: bsmith@acme.com Mark as Clear Mark as Spam The FortiGate unit compares the email address of the sender of an email message to the email addresses specified in the email filter profile An administrator can add to or edit the email addresses and configure the action to take Wild card and regular expressions can be used to define the email address 97 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 11 HELO DNS Lookup DNS Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2013 02:27:02 -0000 12 HELO DNS Lookup Performs an A record lookup of SMTP HELO details to confirm it resolves to an IP address Domain specified in the email should resolve to an IP Does NOT perform any kind of comparison to senders IP 98 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 13 Return Email DNS Check Confirms that sending email domain from the reply-to field resolves to an IP Address Domain the email gets sent to, should resolve to an IP Does NOT perform any kind of comparison to senders IP 14 Banned Word Check Let us fill all your prescription drugs. Visit our online pharmacy for great prices on prescription medications. We offer the widest selection of popular drugs. Banned words Drugs Score=10 Pharmacy Score=5 Prescription Score=5 Threshold=18 10 +5 +5 =20 FortiGate unit blocks email based on words or patterns in the message A weight is assigned to any banned words in the message If threshold is exceeded, the message is marked as spam Can define Banned words using Wildcards and regular expressions 99 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 15 MIME Headers Check The FortiGate unit can check the MIME header information of incoming email messages If a match is found in the header list configured on the device, the corresponding action is taken Configured through CLI only config spamfilter mheader 16 DNSBL and ORDBL Check The FortiGate unit can compare the IP address or domain name of incoming email message against third-party DNSBL and ORDBL lists Match IP addresses or domain names of known spammers Configured through CLI only config spamfilter dnsbl config spamfilter ordbl 100 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 17 Email Filtering Order (SMTP) IP BWL Check DNSBL & ORDBL FortiGuard IP HELO DNS MIME Header Email BWL Banned word (on Subject) Return Email DNS FortiGuard URL FortiGuard Checksum DNSBL & ORDBL (Receive Header) Banned word (on Body) IP BWL Check (Receive Header) 18 Email Filtering Order (POP3, IMAP) MIME Header Email BWL Banned Word (on Subject) IP BWL Check Banned word (on Body) Return Email DNS FortiGuard IP FortiGuard URL FortiGuard Checksum DNSBL & ORDBL Not all SMTP based spam checks are available!! POP3/IMAP used between Mail server and client checking email SMTP used between Mail servers delivering email 101 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 19 Request Removal From FortiGuard Spam filtering is best effort so there can be false positives that occur periodically Submit details to the Spam department at: www.fortiguard.com/antispam/antispam.html 20 FortiGuard Email Filtering Options Cache IP address: 10.10.10.1 URL: www.acme.com Message checksum: x65Fsd34c Caching reduces FortiGuard requests; can improve performance Small % of system memory dedicated to cache Query results cached until TTL setting is reached Alternate port 8888 for access to FortiGuard servers 102 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 21 Email Filter Profile Email Filter security feature disabled by default To configure profile, first go to System > Status and set Email Filter to ON 22 Labs Lab 1: Email Filtering Ex 1: Configuring FortiGuard AntiSpam 103 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Email Filtering 01-50003-0201-20131018-D 23 Classroom Lab Topology 104 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 9: Web Filtering 2 Module Objectives By the end of this module participants will be able to: Identify the web filtering mechanisms used on the FortiGate device Create web content and URL filters Configure FortiGuard Web Filtering Configure FortiGuard Web Filtering exemptions and rating overrides Define firewall policies using web filter profiles Explain the differences between various web filter modes 105 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 3 Web Filtering Means of controlling the web content that a user is able to view Preserve employee productivity Prevent network congestion where valuable bandwidth is used for non-business purposes Prevent loss or exposure of confidential information Decrease exposure to web-based threats Limit legal liability when employees access or download inappropriate or offensive material Prevent copyright infringement caused by employees downloading or distributing copyrighted materials Prevent children from viewing inappropriate material 4 Proxy-Based Web Filtering Proxy based solution that communicates between client and server Inspects full URL Allows for customizable block pages to display when sites are prevented Most resource intensive option Lowest throughput Has the Most options available in Advanced section 106 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 5 Proxy-Based Web Filtering Select inspection mode in web filter profile 6 Flow-Based Web Filtering Non-proxy solution that uses IPS engine to perform inspection High throughput Inspects full URL FortiGuard Web Filtering override will not apply when flow-based inspection is enabled Only a few Advanced options available Not as flexible as proxy-based Allow, Monitor, Block ONLY Warn and Authenticate not possible Overrides not possible 107 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 7 Flow-Based Web Filtering Select inspection mode in web filter profile 8 DNS-Based Web Filtering DNS-proxy solution that uses DNS queries to decide access DNS queries redirected to FortiGuard SDNS server Very lightweight SSL inspection never required Cannot inspect URL, only hostname (DNS) Supports URL Filtering and FortiGuard Category only No individual block pages, can redirect to a portal Web site access by IP means no DNS lookup 108 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 9 DNS-Based Web Filtering Select inspection mode in web filter profile 10 When Does Filtering Activate? www.acme.com DNS Request DNS Response ! HTTP GET ! HTTP 200 TCP 3-Way Handshake 109 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 11 HTTP Inspection Order Virus Scan Advanced Filter Content Filter FortiGuard Filter Web URL Filter Block Page EXEMPT (from ALL further inspection) Block Page Block Page Block Page Block Page Display Page URL Exempt Block Allow Block Allow Allow Block Block Block Allow Allow 12 Types of Web Filtering Proxy-Based Highly secure Traffic is cached Flow-Based High throughput No caching Not as secure DNS-Based Very lightweight Hostname filtering only No advanced options, URL and FortiGuard only 110 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 13 Web Content Filtering Create Pattern list in the CLI Drugs Score=10 Pharmacy Score=5 Prescription Score=5 Threshold=18 10 +5 +5 =20 Block or Exempt www.acme.com Allow or block web pages containing specific words or patterns Wildcards or regular expressions used to define patterns Scores for matched patterns are added If greater than threshold, FortiGate unit performs configured action If pattern appears multiple times on web page, score is only counted once 14 Web URL Filtering Control web access by allowing or blocking URLs Text, wildcards or regular expressions can be used to define the URL patterns If no URL match on list, go on to next enabled check Possible web URL filter actions are: Allow Block Monitor Exempt 111 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 15 URL: www.mypage.com/index.html www.example.com www.abc.com www.mypage.com/index.html Web URL Filtering URL Filter list www.mypage.com Block Allow Monitor Exempt 16 Forcing Safe Search Safe Search is used by search sites to prevent explicit web sites and images from appearing in search results FortiGate unit rewrites the search URL to include the required codes to enable Safe Search Supported for Google, Bing, Yahoo! And Yandex Does NOT force strict safe search Youtube EDU available Instructions for Youtube will include value to enter on FortiGate unit 112 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 17 FortiGuard Category Filter URL: www.mypage.com Block Allow Monitor Authenticate Categories Warning www.mypage.com 18 FortiGuard Category Filter The FortiGate unit accesses the FortiGuard Distribution Server to determine the category of a requested page Action is taken based on selection in web filtering profile Web filter rating determined by: Human rater Text analysis Exploitation of web structure Description of Categories can be found on FortiGuard website http://www.fortiguard.com/static/webfiltering.html 113 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 19 FortiGuard Category Filter Split into multiple categories and sub-categories Layout will switch periodically as the Internet changes New categories and sub-categories are released and compatible with updated firmware Older firmware has new values mapped to existing categories 20 FortiGuard Caching Most web sites are visited over and over again FortiGate unit can remember what the response was Caching improves performance by reducing FortiGate unit requests to FortiGuard servers Cache checked before sending request to FortiGuard server TTL settings controls the number of seconds query results are cached Small amount of FortiGate unit system memory dedicated to the cache Default is 2% used for cache, can be increased to 15% from CLI Port 53 used for FortiGuard communications Alternate port number of 8888 can used KB Article IDs: 11779, FD32121, FD30088 114 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 21 FortiGuard Usage Quotas Category: Games Games Quota Games Quota Games Quota Category: Games Category: Games Category: Games Category: Games Quotas allow access to specific categories for a specific length of time (calculated separately for each quota configured) If authentication is enabled, quota is automatically based on the user, otherwise IP is used Can only apply to categories with actions: Monitor, Warn or Authenticate 22 Rating Submissions Requests for rating of a web site, or to have a web sites rating re-evaluated can be submitted by accessing: http://www.fortiguard.com/ip_rep.php 115 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 23 Rating Override www.acme.com Category: General Organizations Sub-Category: Information and Computer Security Rating override 24 Rating Override Can override the rating applied to a hostname by FortiGuard Subscription Services Hostname reassigned to a completely different category and uses that action Override applies to FortiGate unit only Changes not submitted to FortiGuard Subscription Services Hostnames only google.com www.google.com www.google.com/index.html 116 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 25 Rename and deletion of sub-categories only in CLI config webfilter ftgd-local-cat delete <cat_name> rename <cat_name> to <cat_name> Local Categories 26 Warning Action Action = Warning (right click in the GUI) Web Filtering Warning Page 117 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 27 Authenticate Action www.hackthissite.org Marketing 28 Web Filter Profiles Web filtering, FortiGuard web filtering and Advanced Filter options enabled through web filtering profiles Profile in turn applied to firewall policy Any traffic being examined by the policy will have the web filtering operations applied to it 118 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Web Filtering 01-50003-0201-20131018-D 29 Labs Lab 1: Web Filtering Ex 1: FortiGuard Web Filtering 30 Classroom Lab Topology 119 FOR REVIEW ONLY
FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 1 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 10: Application Control 2 Module Objectives By the end of this module participants will be able to: Describe how a signature trigger is accomplished Add additional software Define application control rules by category Define application control rules by specific entry Define firewall policies using application control lists Use application control to perform traffic shaping 120 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 3 Application Control Application control is used to detect and take actions on network traffic based on the application generating the traffic Facebook, Skype, Gmail etc. Can detect application traffic even if contained within other protocols Supports a large number of applications and categories DiffServ per application filter Supports shared and per-IP traffic shaping for application control 4 Application Control List An application control list defines the applications that will be subject to inspection For each application, the administrator can specify whether to pass or block the application traffic in addition to other settings Default rule set is very restrictive, must perform an AV/IPS update in order to obtain new rules 121 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 5 Adding to the List Requests for additional or revised application control coverage can be submitted using FortiClient or by accessing: http://www.fortiguard.com/applicationcontrol/appform.html 6 Application Control Profile Application control profile Application control options are enabled through application control sensors Sensor in turn is applied to firewall policy Any traffic being examined by the policy will have the application control operations applied to it 122 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 7 Example: Facebook Application Control 8 Order of Operations Processed from the top down First match action is applied Can be single application or picked from a set of options to apply to multiple applications 123 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 9 Implicit Rules Implicit 1 Matches traffic against every possible application control signature Implicit 2 Matches traffic that does not conform to any application control signature 10 Creating a Filter Rule 124 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 11 FortiGuard Searchable list of signatures, with descriptions http://www.fortiguard.com/encyclopedia/applications/ Signatures change and update 12 Behavior Identification 125 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 13 Instant Messenger Support for MSN(defunct), Yahoo, ICQ and AIM Software passes traffic through a single IM proxy Communications protocols have never been released or had RFC published Proxy designed through reverse engineering Must be explicitly enabled in order to activate IM proxy (not enabled if IM selected) 14 Instant Messenger 126 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 15 Instant Messenger 16 Fine Tuning Instant Messenger Instant Messenger Policy configurable from the CLI, default is to allow all users config imp2p policy set [aim/icq/msn/yahoo] [allow/deny] end Users can only be restricted if policy is set to deny Cannot block by user if policy set to allow Maximum 1000 IM users 127 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 17 Instant Messenger Users First user must be created in CLI config imp2p (protocol)-user edit (username) end 18 Monitor 128 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 19 Traffic Shaping Allows for traffic shaping to apply to only SOME of the traffic passing through a profile/policy Only traffic matching application control signature is shaped Can track application bandwidth usage and use traffic shaping to control heavy traffic applications Can use all normal traffic shaping options: Shared, Per-IP, Reverse 20 Traffic Shaping: Working Example 129 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 21 How Does My Software Actually Work? ? ? ? ? 22 Under the Hood ? Application control looks at packets and performs a pattern match comparison to determine traffic Does not perform any kind of scanning of either system Only reports that packets match an enabled pattern 130 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 23 Peer-to-Peer Detection Traditional file transfer 1 Client 1 Server 24 Peer-to-Peer Detection Peer-to-peer transfer 1 Client N Servers 131 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 25 Peer-to-Peer Detection Why is P2P traffic so difficult to detect? Traditional Protocols (HTTP, FTP) were designed to be distinct and separate from other protocols. P2P communication protocols were designed to be difficult to distinguish from other protocols 26 Labs Lab 1: Application Identification Ex 1: Creating an Application Control list Lab 2: Traffic Shaping Ex 1: Limiting YouTube Traffic Lab 3: Selective Application Control Ex 1: Block Wikipedia Editing 132 FOR REVIEW ONLY Course 201 - Administration, Content Inspection and VPNs Application Control 01-50003-0201-20131018-D 27 Classroom Lab Topology 133 FOR REVIEW ONLY
FortiGate Multi-Threat Security Systems I Administration, Content Inspection and VPNs
Student Lab Guide Course 201
FOR REVIEW ONLY
FortiGate Multi-Threat Security Systems Administration, Content Inspection and VPNs Student Lab Guide Course 201 01-50003-0201-20131018-D
Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard- Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
FOR REVIEW ONLY Table of Contents P a g e | 1
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
FOR REVIEW ONLY Virtual Lab Environment Basics P a g e | 3
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
This section provides details of the virtual lab environment that will be used for the hands-on labs in this course. Steps are included for connecting to the virtual environment along with troubleshooting tips to help students easily navigate the lab configuration.
Alert: The following section is only applicable to the Fortinet hosted virtual lab environment. Please ignore this section if you are using an alternate classroom lab environment unless otherwise directed by your trainer. If you are uncertain, consult your trainer to find out which lab setup documentation you must follow.
The network diagram below shows the configuration of the virtual environment that students will use in the course.
FOR REVIEW ONLY Virtual Lab Environment Basics P a g e | 4
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. Run the TrueLab System Checker to verify the compatibility of your computer with the virtual lab environment. Use the URL that is specific to your location.
Americas: http://truelab.hatsize.com/syscheck EMEA: http://truelab.hatsize.com/syscheck/frankfurt/ APAC: http://truelab.hatsize.com/syscheck/singapore/ Click Run if a security warning window appears.
The TrueLab System Checker will determine whether a connection can be established from the PC to the TrueLab environment. It can also help troubleshoot connectivity problems related to the Java Virtual Machine, company firewall, or proxy server. If the PC is successfully able to connect to the TrueLab virtual lab environment a Success message will be displayed.
FOR REVIEW ONLY Virtual Lab Environment Basics P a g e | 5
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
If a status of Failed is displayed, verify the on-screen messages to identify potential problem areas or click the Troubleshooter link to help diagnose any problems that were encountered. For assistance with troubleshooting speak to your instructor. 2. If a status of SUCCESS is displayed, log in to the virtual lab portal by browsing to the following URL: http://remotelabs.training.fortinet.com/
Enter the username and password provided by the instructor and click LOGIN.
Alternatively, you may have received log in credentials for the following URL: http://virtual.mclabs.com/ Check with your instructor if you are not certain about which portal to use.
3. Select the time zone for your location from the drop-down menu and click UPDATE. By selecting the proper time zone you ensure that the class schedule is accurate.
FOR REVIEW ONLY Virtual Lab Environment Basics P a g e | 6
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
4. The virtual lab Java applet is launched. Select a resolution for the applet and click Open to access the Windows 2003 Server device in the virtual lab environment. This will serve as the primary student machine for the classroom exercises. Note: If for any reason the connection to the virtual Windows 2003 Server is lost, regain access by selecting Operations > Disconnect and then Operations > Connect to Primary from the menu. 5. To connect to other virtual machines in this environment go to Operations > Connect to Secondary and select one of the available machines in the list.
The instructor will provide a description of each of the virtual systems available to you in the virtual lab environment.
FOR REVIEW ONLY Virtual Lab Environment Basics P a g e | 7
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
Troubleshooting Tips It is not recommended to connect to the virtual lab environment using a wireless (Wi-Fi) connection or a VPN tunnel. For optimal performance, connect to the lab environment through a dedicated LAN connection. Ensure that the company network or firewall policies are not blocking Java applets. Students should ensure that the following settings are configured on their computer: Screen savers should be disabled on the computer The Power Scheme used on the computer should be set to Always on In the Java Control Panel (located in the Windows Control Panel) ensure that Java console is set to Show console. It is recommended that the Java console be left open as it often provides useful logs for troubleshooting. If you get disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal) please reattempt a connection. If unable to reconnect repeatedly after multiple attempts, please notify the instructor. If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, go to the console and enter the CLI command execute update-now.
This message indicates that the FortiGate VM is waiting for a response from the authentication server. The command execute update-now will resend the request and force a response.
FOR REVIEW ONLY Classroom Lab Configuration P a g e | 8
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The following diagram illustrates the classroom network configuration that will be used for the labs in this course. Each student has an identical lab environment and has full control of their lab devices.
Each student will manage the following devices: Windows 2003 Server (student working device) 2 FortiGate devices Windows XP Linux Server
FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration
P a g e | 9
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
This first lab will provide an initial orientation to the CLI and administrative GUI and will guide the student through the basic setup of the FortiGate unit. This lab will demonstrate how to properly backup and restore a configuration file, as well as manipulate administrative access to a FortiGate unit. If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, go to the console and enter the CLI command execute update-now.
This message indicates that the FortiGate VM is waiting for a response from the authentication server. The execute update-now command will resend the request and force a response. Distinguish between an encrypted and non-encrypted configuration file Describe how to back up and restore configuration files Recognize model and build information inside a configuration file Estimated time to complete this lab: 15 minutes
FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration Exercise 1
P a g e | 10
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The steps below only need to be performed if your virtual lab set-up has been started from a blank FortiGate image. Before proceeding, please check with your Instructor to confirm if these steps are required for your particular classroom lab configuration. 1. Connect to the console of the Student FortiGate device (in the virtual lab applet, go to Operations > Connect to Secondary > Student) and at the login screen, enter the default username of admin (all lowercase) and leave the password blank. 2. To access the Student FortiGate device using the GUI, you must first modify the port3 interface settings by executing the following CLI commands: conf system interface edit port3 set ip 10.0.1.254/24 set allowaccess http end You have now configured the port3 interface with a proper IP address and device access settings. 3. Enter the following command to check your configuration: show system interface 4. Open a web browser and enter the following URL to access the GUI for the Student FortiGate device: http://10.0.1.254 Accept the FortiGate units self-signed certificate or security exemption if a security warning appears.
HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other available protocols include SSH, PING, SNMP, HTTP and Telnet.
Note: To access the FortiGate GUI using a standard web browser, cookies and JavaScript must be enabled for proper rendering and display of the graphical user interface.
FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration Exercise 1
P a g e | 11
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The login page of the Student FortiGate device should now be displayed. Please do not log in at this point. You will have the opportunity to explore the FortiGate units GUI in a later exercise. If you are not presented with a login page, check with your Instructor before proceeding. 5. Connect to the console of the Remote FortiGate device (in the virtual lab applet, go to Operations > Connect to Secondary > Remote) and at the login screen, enter the default username of admin (all lowercase) and leave the password blank. 6. Enter the following CLI commands to set the port4 IP address and access control settings for your device. conf system interface edit port4 set ip 10.200.3.1/24 set allowaccess http ping end 7. Next, check the route configuration by executing the following command: show router static If there is no static route configured on port4, execute the commands shown below to set this static route. (Routing will be explained in more detail in a later section.) conf route static edit 0 set device port4 set gateway 10.200.3.254 end 8. You can enter the following commands to check your configuration: show system interface show router static At this stage, you will not be able to connect to the Remote FortiGate device until you have configured your Student FortiGate device with routing information and a firewall policy to allow that management traffic. This configuration will be added later. FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration Exercise 2
P a g e | 12
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
In this exercise, students will be introduced to the FortiGate units command line interface (CLI). 1. Connect to the console of the Student FortiGate device and at the login screen enter the default username of admin (all lowercase) and no password. 2. Type the following command to display status information about the FortiGate unit: get system status The output displays the FortiGate unit serial number, firmware build, operational mode, and additional settings.
Confirm that the firmware build is the correct version for this class. 3. Type the following command to see a full list of accepted objects for the get command: get ?
Note: The ? character is not displayed on the screen. At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to scroll one line at a time. Press <q> to exit. Depending on objects and branches used with this command, there may be other sub- keywords and additional parameters to enter. 4. Press the up arrow key to display the previous get system status command and try some of the control key sequences that are summarized below. Previous command up arrow, or CTRL+P Next command down arrow, or CTRL+N Beginning of line CTRL+A End of line CTRL+E Back one word CTRL+B Forward one word CTRL+F Delete current character CTRL+D Clear screen CTRL+L Abort command and exit branch CTRL+C CTRL+C is context sensitive and in general aborts the current command and moves up to the previous command branch level. If already at the root branch level, CTRL+C will force a logout of the current session and another login will be required.
FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration Exercise 2
P a g e | 13
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
5. Type the following command and press the <tab> key 2 or 3 times. execute <tab> The command displays the list of available system utility commands one at a time each time the <tab> key is pressed. 6. Type the following command to see the entire list of execute commands: execute ? 7. Enter the following CLI commands and compare the available keywords for each one: config ? show ? config begins the configuration mode while show displays the configuration. The only difference is show full-configuration. The default behavior of the show command is to only display the differences from the factory-default configuration. 8. Enter the CLI commands shown below to display the FortiGate units internal interface configuration settings and compare the output for each of them. Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to complete the command key word. Use this technique to reduce the number of keystrokes to enter information. CLI commands can be entered in an abbreviated form as long as enough characters are entered to ensure the uniqueness of the command keyword. show system interface port3 show full-configuration system interface port3 FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration Exercise 3
P a g e | 14
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
From the Windows Server, you first will need to connect to the Student FortiGate device and restore the configuration file needed to complete the upcoming exercises. 1. Open a web browser and connect to the following URL to access the GUI on the Student FortiGate device: http://fgt.student.lab 2. Go to System > Dashboard > Status. Under System Information, click Restore.
3. Browse the Desktop and navigate to the Resources > Module1 > Student folder.
Select the file student-initial.conf and click Restore.
After restoring the configuration, the FortiGate unit will automatically reboot. The length of the boot process is affected by how complex the configuration is. The more complicated the configuration, the longer it will take to parse it and complete the boot process.
Most configurations take less than 1 minute to complete the reboot process.
FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration Exercise 3
P a g e | 15
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
4. Reconnect to the GUI on the Student FortiGate device and verify the restored configuration. Go to System > Network > Interface and check your network interfaces. Go to Router > Static > Static Route and check your default route. 5. Next, perform the following steps on the Student FortiGate device to verify the DNS configuration settings for the Student and Remote FortiGate devices. These DNS settings have been added to simplify access to the lab devices. Go to System > Network > DNS Server and review the student and remote DNS zones. In the student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for the Student FortiGate device (10.0.1.254) and the Windows Server (10.0.1.10). In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10). 6. From a DOS command prompt on the virtual Windows Server, execute the following commands to verify the DNS lookup functionality. DNS requests are being sent to port3, and recursive DNS requests are allowed on this interface. nslookup server.student.lab 10.0.1.254 nslookup fgt.student.lab 10.0.1.254 nslookup pc.remote.lab 10.0.1.254 nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are: nslookup [-option] [hostname] [server] 7. In a web browser on the virtual Windows Server, connect to the following web pages to verify that the GUI of the Student and Remote FortiGate devices can be accessed using their DNS hostnames: http://fgt.student.lab http://fgt.remote.lab FOR REVIEW ONLY Module 1 Lab 1: Initial Setup and Configuration Exercise 4
P a g e | 16
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. Connect to the GUI on the Student FortiGate device by accessing the URL: https://fgt.student.lab 2. Go to System > Dashboard > Status and under System Information, click Backup.
Select Encrypt configuration file and enter the password: fortinet. Click Backup and save the encrypted configuration file to the Desktop with the filename student-initial-enc.conf. (You may need to modify the web browsers settings to prompt for the location to save files. For Firefox, go to Tools > Options > General and select Always ask me where to save files.)
3. Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the file student-initial-enc.conf and click Restore. This time you will need to enter the password fortinet as this file is encrypted. Using WordPad or Notepad++, open the file student-initial.conf. In another instance of WordPad, open the file student-initial-enc.conf and compare the details in both.
Note: In both the normal and encrypted configuration the top of the file acts as a header, describing the firmware and model information this configuration belongs to.
Caution: When backing up the FortiGate units configuration, be sure to use a naming convention that you understand and which identifies both the date and the device information. Every time that you log in and make changes to your device (even if the change seems minor or insignificant), you should ALWAYS make a backup of the configuration file. This will always be the best form of protection against problems. FOR REVIEW ONLY Module 1 Lab 2: Administrative Access P a g e | 17
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab will be to demonstrate how to create and modify administrative access permissions. Identify the steps to create a new administrative user Recognize the options to restrict administrative access Estimated time to complete this lab: 10 minutes FOR REVIEW ONLY Module 1 Lab 2: Administrative Access Exercise 1 P a g e | 18
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the GUI on the Student FortiGate device, go to System > Admin > Settings and select Enable Password Policy. Configure the password policy using the following settings:
Minimum Length: 8 Must Contain: Enable 1 Upper Case Letter 1 Numerical Digit Enable Password Expiration: Enable 90 days Once the settings have been modified, click Apply to save the changes.
2. Log out of the GUI then log back in again and you will be prompted to enter a new administrator password. Enter a new password that meets the requirements configured above. 3. Next, go to System > Admin > Admin Profile and create a new Admin profile called Security_Admin_Profile. Set Security Profile Configuration to Read-Write and set all other permissions to Read Only. Once the profile settings have been modified, click OK to save the changes. 4. Go to System > Admin > Administrators and click Create New to add a new Admin user called Security_Admin. Set Admin Profile to the new profile you created in the previous step. By doing this, you are limiting this Admin users access so that they will only able to modify and create security profiles.
Note: Administrator names and passwords are case-sensitive. You cannot include the < > ( ) # characters in an administrator name or password. Spaces are allowed, but not as the first or last character. Spaces in a name or password can be confusing and require the use of quotes to enter the name in the CLI. Once the Administrative user settings have been entered, click OK to save the changes. 5. To view the configuration for administrative users and profiles, type the following CLI commands: show system admin show system accprofile
FOR REVIEW ONLY Module 1 Lab 2: Administrative Access Exercise 1 P a g e | 19
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
6. Log out of the GUI on the Student FortiGate device and log back in as the Security_Admin user created earlier. 7. Test this administrators access by attempting to create or modify various settings on the Student FortiGate device. You should observe that this admin user is only able to configure settings under Security Profiles. For convenience in the labs, the admin password will not be set in the configuration files used in the subsequent modules. FOR REVIEW ONLY Module 1 Lab 2: Administrative Access Exercise 2 P a g e | 20
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. Connect to the GUI on the Remote FortiGate device by accessing the following URL: http://fgt.remote.lab Log in with the default username of admin (all lowercase) and no password. 2. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24. Once the trusted host details have been entered, click OK to save the changes. Now, try connecting to the GUI of the Remote FortiGate device again. What is the result this time? Because you are connecting from the 10.200.1.1 address (because of NAT on the Student FortiGate device) you should notice that you are no longer able to connect to the device since restricting the connecting source IP using Trusted Hosts. 3. Attempt to ping the IP address 10.200.3.1. You should note that the ping no longer responds. This type of access is also affected by the restriction on source IP which we have configured above. 4. Go to the console of the Remote FortiGate device and enter the following CLI commands to add 10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account: conf sys admin edit admin set trusthost2 10.200.0.0/16 end 5. Test the GUI and ping access again to the IP address 10.200.3.1. You should now be able to connect to the GUI of the Remote device and ping it as well. 6. Go to System > Dashboard > Status and under System Information, click Details for Current Administrator. The administrators currently logged in to the FortiGate unit are displayed.
FOR REVIEW ONLY Module 1 Lab 2: Administrative Access Exercise 2 P a g e | 21
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
7. By default, an administrator has a maximum of three attempts to log in to their account before they are locked out for 60 seconds. The source IP address is taken into account by the attempt counter. The number of login attempts and the lockout period can be configured through the CLI.
To help improve the overall password security, the maximum number of attempts can be decreased and the lockout timer can be increased using the following CLI commands: config system global set admin-lockout-threshold 2 set admin-lockout-duration 100 end FOR REVIEW ONLY Module 2 Lab 1: Status Monitor and Event Log
P a g e | 22
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to work with the event log and monitoring on a FortiGate unit. Identify and properly enable logging of system events Locate event logs for specific information Estimated time to complete this lab: 10 minutes FOR REVIEW ONLY Module 2 Lab 1: Status Monitor and Event Log Exercise 1
P a g e | 23
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the GUI of the Student FortiGate device, go to System > Dashboard > Status and locate the System Resources widget. 2. Some widgets are not displayed on the dashboard by default. Click Widget to display the list of widgets available to add to the dashboard.
If not already added, click the Sessions History widget from the pop-up window to add it to the dashboard. Close the widget list window. 3. Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom widget.
Configure a custom widget with the following details:
Custom Widget Name: System Resource History View Type: Historical Time Period: Last 60 minutes A line chart appears in a new custom System Resource History widget showing a trace of past CPU and memory usage. FOR REVIEW ONLY Module 2 Lab 1: Status Monitor and Event Log Exercise 1
P a g e | 24
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured. 4. The Alert Message Console widget displays recent system events, such as system restart and firmware upgrade. Hover the mouse over the title bar of the Alert Message Console widget and click History to view the entire message list.
Scroll to the bottom of the window and click Close. 5. Go to System > Dashboard and select Add Dashboard. Enter any name of your choice for the new dashboard and select the single column display. 6. Next add the Top Sessions widget on your new dashboard. Click the edit icon in the title bar of the Top Sessions widget and observe the different ways in which top sessions can be reported. For example, by top Destination Address, top Applications etc. You can also select to display the top sessions by Source and Destination interfaces. Create your own customized Top Sessions widget and examine the sessions that are listed. 7. Test the functionality of the refresh, page forward, and page back icons in this window. You may need to generate some additional traffic in order to properly test these functions. 8. Click Dashboard and select Reset Dashboards to re-display the default dashboard. FOR REVIEW ONLY Module 2 Lab 1: Status Monitor and Event Log Exercise 2
P a g e | 25
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Student FortiGate CLI, execute the following command to check the system status: get system status 2. Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as Need Format, enter the following command to format the drive. execute formatlogdisk When prompted to continue, type y and wait for the system to reboot. Once the system has restarted, check the log disk settings by executing the following command: config log disk setting get You should observe that the status is enabled. 3. Repeat the previous steps on the Remote FortiGate device. 4. Return to the Student FortGate device and log out of the GUI. When logging back in, use an incorrect password once and then use the correct password to log back in again. Go to Log & Report > Event Log > System and examine the log to find the invalid password event. 5. Go to Firewall Objects > Address > Address, and create a new firewall address using the following settings: Name: fortinet Type: FQDN FQDN: www.fortinet.com Leave the remaining settings at their defaults and click OK to save the changes. 6. Next go to Log & Report > Event Log > System and review the log entries.
FOR REVIEW ONLY Module 2 Lab 1: Status Monitor and Event Log Exercise 2
P a g e | 26
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.
Click Apply to save the changes.
Different types of log entries fall into different categories. Only enable logging for the activity(s) that you need to monitor. This avoids filling the logs with information you do not need, and consuming unnecessary system resources. 8. Go to Firewall Objects > Address > Address and create another firewall address entry. Go to Log & Report > Event Log > System and review the log entries again. Note that the entries are no longer visible for this activity. With this option deselected in the Event Logging settings, you will no longer see entries in the log for Admin users logging on/off or making changes to the units configuration. Other types of log entries will still appear. 9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.
FOR REVIEW ONLY Module 2 Lab 2: Remote Monitoring
P a g e | 27
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate units behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to reduce resource usage. For example, while the GUI widgets provide useful displays of your system information, they also carry a significant resource cost and should be used sparingly. Enabling monitoring from a syslog and SNMP device Estimated time to complete this lab: 10 minutes FOR REVIEW ONLY Module 2 Lab 2: Remote Monitoring Exercise 1
P a g e | 28
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The LINUX host in your student lab environment has been pre-configured for you to allow remote syslog. 1. From the CLI on the Student FortiGate device enter the following commands to set up logging to the syslog server: conf log syslogd setting set status enable set facility local6 set server 10.200.1.254 end 2. Repeat the above step from the CLI on the Remote FortiGate device. 3. From the virtual Windows Server desktop launch the putty.exe application and open an SSH session to the LINUX host (10.200.1.254).
Log in as root and with the password: password. FOR REVIEW ONLY Module 2 Lab 2: Remote Monitoring Exercise 1
P a g e | 29
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
4. Run the following command to monitor the FortiGate unit syslog messages which are mapped to their own file by the local6 facility. tail f /var/log/fortinet 5. Leave the SSH window open and return to the Student FortiGate device and generate some log entries by doing the following: Attempt to log in with invalid credentials Make a minor configuration change 6. From the GUI on the Student FortiGate device, go System > Config > SNMP to enable SNMP monitoring. Select Enable for the SNMP Agent then click Apply. 7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to fortinet.
Click OK. 8. Go to System > Network > Interface and edit port1. Confirm that SNMP is enabled under the Administrative Access settings. If it is not enabled you will need to enable it first then click OK to save the changes. 9. Leave the SSH window open that is currently running the tail command and run putty again to open a new SSH connection to the LINUX host (10.200.1.254). Next, execute the following snmpwalk command to find and display all of the monitoring options that a device presents through SNMP: snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1 A tree listing of all the options available to monitor this FortiGate VM device will be displayed.
To make it easier to view the information available, you may also append >snmp.test to the command entered above. This will save the output to a file named snmp.test. Enter the command view snmp.test to view the output file.
FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy
P a g e | 30
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to work with firewall policies and examine the FortiGate unit behavior when policies are re-ordered. Describe the various actions that can be set in a firewall policy Demonstrate policy order Estimated time to complete this lab: 20 minutes FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy Exercise 1
P a g e | 31
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you first will need to connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file that is needed for this lab: Resources\Module3\Student\student-policy.conf. The Student FortiGate device will reboot. 2. From the GUI on the Student FortiGate device, go to Firewall Objects > Address > Address and create the following address object: Name: STUDENT_INTERNAL Type: Subnet Subnet/IP Range: 10.0.1.0/255.255.255.0 Interface: Any Once the settings have been entered, click OK to save the changes. 3. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To do this, go to Policy > Policy > Policy, right-click the unrestricted port3port1 policy and select Status > Disable. 4. Next click Create New to add a new firewall policy to provide general Internet access from the internal network. Configure the following settings: Policy Type: Firewall Policy Subtype: Address Incoming Interface: port3 Source Address: STUDENT_INTERNAL Outgoing Interface: port1 Destination Address: all Schedule: always Service: HTTP, HTTPS, DNS, ALL_ICMP, SSH (Hold down the CTRL-key to select multiple services.) Action: ACCEPT Enable NAT: Enabled Use Destination Interface Address: Enabled Log Options: Enable Log all Sessions and select Generate Logs when Session Starts Comments: General Internet access
FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy Exercise 1
P a g e | 32
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore, a firewall policy only needs to be created for the direction of the originating traffic. Once the policy settings have been entered, click OK to save the changes. 5. From the virtual Windows Server desktop, open a web browser and connect to various external web servers. 6. From the CLI, enter the following command to see the source NAT action. #get system session list Sample Output:
Note that the new source address being applied is that of the destination interface port1(10.200.1.1). FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy Exercise 2
P a g e | 33
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. Use the same steps you performed earlier to create a second firewall policy. Configure the following settings: Policy Type: Firewall Policy Subtype: Address Incoming Interface: port3 Source Address: STUDENT_INTERNAL Outgoing Interface: port1 Destination Address: Click Create and configure the following: Name: LINUX_ETH1 Type: Subnet Subnet / IP Range: 10.200.1.254/255.255.255.255 Click OK. Schedule: always Service: PING Action: DENY Log Violation Traffic: Enabled
Once the policy settings have been entered click OK to save the changes. 2. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows. ping t 10.200.1.254 Provided you have not changed the rule ordering, the ping should still work as it matches the ACCEPT policy and not the DENY policy just created. This demonstrates the behavior of policy ordering. The second policy was never checked because the traffic matched the first policy. Leave this window open and perform the next step. 3. From the GUI on the Student FortiGate device, go to Policy > Policy > Policy and right-click any of the column headings. Select Column Settings > ID. Move this column accordingly for easier viewing. By default only the sequence number of the firewall policy is displayed in the GUI. 4. Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to position it before the General Internet access policy. 5. Return to the Windows Server and examine the DOS command prompt window still running the continuous ping. You should observe that this traffic is now blocked and the replies appear as Request timed out. Enter CTRL-C to end the ping command. FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy Exercise 3
P a g e | 34
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
In this exercise, a virtual IP address will be configured to allow remote Internet connections to the Windows Server located at 10.0.1.10. 1. Go to Firewall Objects > Virtual IP > Virtual IP and click Create New to add a new virtual IP mapping with the following details: Name: VIP_WIN2K3 External Interface: port1 Type: Static NAT External IP Address/Range: 10.200.1.200 Mapped IP Address/Range: 10.0.1.10
Once the virtual IP settings have been entered click OK to save the changes. 2. Next, create a new firewall policy to provide access to the web server. Configure the following settings: Policy Type: Firewall Policy Subtype: Address Incoming Interface: port1 Source Address: all Outgoing Interface: port3 Destination Address: VIP_WIN2K3 Schedule: always Service: HTTP Action: ACCEPT Log Options: Enable Log all Sessions and select Generate Logs when Session Starts Enable NAT: Disabled (default) Comments: Public access to web server Once the policy settings have been entered click OK to save the changes. 3. The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or are cleared. The sessions can be cleared individually from the session widget on the Status page or from the CLI by executing the following: diag sys session clear FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy Exercise 3
P a g e | 35
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
4. Connect to the console of the remote Windows host. (From the virtual lab applet, go to Operations > Connect to Secondary > WinXP to connect to the console of your WINXP host.) On the WinXP desktop, open a web browser and access the following URL: http://10.200.1.200 If the virtual IP operation is successful a simple web page appears displaying the message It works!. 5. From the CLI on the Student FortiGate device, check the destination NAT entries in the session table by using the following command: #get system session list Sample Output:
6. On the virtual Windows Server desktop open a web browser and connect to a few external web sites. Now examine the session information again as follows: #get system session list
Note that the outgoing connections from the Windows Server are now being NATed with the VIP address as opposed to the firewall address. This is a behavior of the static NAT (SNAT) VIP. That is, when SNAT is enabled on a policy, a VIP static NAT takes priority over the destination interface IP address. FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy Exercise 4
P a g e | 36
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
Currently, all traffic generated from the Windows Server through the Student FortiGate device has a translated source IP address of 10.200.1.200 because of the static NAT translation in the VIP.
In this exercise, an IP address pool will be applied to a new rule which will override this behavior. 1. From the GUI on the Student FortiGate device, go to Firewall Objects > Virtual IP > IP Pool and create a new IP pool using the following settings: Name: WIN2K3_EXT_IP External IP Range/Subnet: 10.200.1.100 Once the policy settings have been entered click OK to save the changes. 2. Go to Policy > Policy > Policy, and right-click the outgoing General Internet access policy. Select Copy Policy then right-click the same policy again and select Paste > Above. 3. Select the new copy of the General Internet access policy and configure the following settings: Policy Type: Firewall Policy Subtype: Address Incoming Interface: port3 Source Address: WIN2K3 Outgoing Interface: port1 Destination Address: all Schedule: always Service: ALL Action: ACCEPT Log Options: Enable Log all Sessions and select Generate Logs when Session Starts Enable NAT: Enabled Use Dynamic IP Pool: WIN2K3_EXT_IP Comments: Windows Server source NAT override Once the Policy settings have been entered click OK to save the changes and verify that you have enabled it.
FOR REVIEW ONLY Module 3 Lab 1: Firewall Policy Exercise 4
P a g e | 37
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
4. The firewall does stateful inspection so any existing sessions will not use this new firewall policy until they time out or are cleared. The sessions can be cleared individually from the session widget on the status page or from the CLI by executing the following: diag sys session clear 5. Connect to a few external web sites and then examine the session table to check the source NAT used. From the CLI on the Student FortiGate device enter the following command to verify the source NAT IP address: # get system session list Sample Output:
Observe that the source NAT address is now 10.200.1.100 as configured in the VIP pool, therefore the order of precedence is IP Pool > Static-NAT VIP > Destination Interface.
FOR REVIEW ONLY Module 3 Lab 2: Traffic Log
P a g e | 38
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is to read traffic logs and become familiar with its contents. Demonstrate how to enable traffic logging Read and understand traffic log entries Estimated time to complete this lab: 5 minutes
FOR REVIEW ONLY Module 3 Lab 2: Traffic Log Exercise 1
P a g e | 39
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. Go to Policy > Policy > Policy and click the Seq.# of the DENY policy that you created previously. Drag this policy to position it BEFORE the Window Server Source NAT Override policy. 2. Edit the DENY policy and verify that Log Violation Traffic is enabled. 3. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows. ping t 10.200.1.254 Provided you have positioned the rule correctly this traffic should be blocked, and timeout. 4. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic to examine the log entries. You should observe violation traffic entries. These entries appear with red X symbols under the column Security Action. 5. Edit the DENY policy. Change the Action setting to ACCEPT, and enable NAT by selecting the Enable NAT checkbox. Once these policy settings have been entered click OK to save the changes. From the Windows Server, you should observe that the ping now succeeds. 6. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic. The log entries will no longer show violation traffic, but summaries of the ping traffic that passed. FOR REVIEW ONLY Module 3 Lab 3: Device Policies Exercise 1
P a g e | 40
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
In this exercise you will create a Firewall policy that uses email captive portal. Once the device is learnt, access to a test web server should be given to the device. Demonstrate how to enable Device Identification Configure Device Identification policies Estimated time to complete this lab: 10 minutes
FOR REVIEW ONLY Module 3 Lab 3: Device Policies Exercise 1
P a g e | 41
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the virtual Windows Server host, you first will need to connect to the Student FortiGate device and restore the configuration file needed for this exercise. Restore the following configuration file: Resources\Delta\delta-student-initial.conf.
2. Edit the outgoing port3 to port2 firewall policy using the following settings: Policy Type: Firewall Policy Subtype: Device Identity Incoming Interface: port3 Source Address: STUDENT_INTERNAL Outgoing Interface: port2 Enable NAT: Enabled. Select Use Destination Interface Address
Next click Create New under Configure Authentication Rules and create the following sub- policies:
Sub-policy 1:
Destination Address: all Device: Windows PC Schedule: always Service: HTTP Action: Accept Click OK.
Sub-policy 2:
Destination Address: all Device: Collected Emails Schedule: always Service: HTTP, HTTPS, ALL_ICMP, SSH, SMTP, POP3, FTP (Hold down the CTRL-key to select multiple services.) Action: ACCEPT Click OK.
FOR REVIEW ONLY Module 3 Lab 3: Device Policies Exercise 1
P a g e | 42
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
Under Device Policy Options enable Prompt E-mail Collection Portal for all devices as follows:
Once you have configured all the above policy settings, click OK to save the changes. 3. Use drag-and-drop to reorder the sub-policies. The captive portal policy should be last in the sub-policy list because this rule should only be matched if the device has not already been identified. In this example, the first web traffic from the client matches the email captive portal rule. The subsequent traffic matches the collected email device object as we now have this information. 4. Check the device policy and sub-policies.
Click OK. 5. You will now test the device policy on the Student FortiGate device. First execute the following CLI commands to disable the email DNS check for the captive portal. (This step is required for the purposes of this lab.) config system settings set email-portal-check-dns disable end
FOR REVIEW ONLY Module 3 Lab 3: Device Policies Exercise 1
P a g e | 43
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
6. From your web browser, connect to: http://10.200.1.254. You should get to the portal. Accept the conditions and enter your email address when prompted.
You should now be redirected to the web site. 7. From the CLI, you can use debug flow to examine the traffic: diag debug flow filter addr 10.200.1.254 diag debug flow show func en diag debug flow show cons en diag debug enable diag debug flow trace start 20 8. Go to User & Device > Device > Device Definition and check the new device. This device is a dynamic device. These devices may update and are stored to the flash to speed up detection. diag user device list 9. Clear the device from the CLI and reload the web page as follows: diag user device clear You should observe that you are redirected to the email portal again. Accept the conditions and enter your email address. 10. Perform a show from the CLI to confirm there are no devices in the configuration file. show user device 11. From the GUI, go to User & Device > Device > Device Definition and edit your device from the device list. Add an alias called myDevice. This creates a static device in the configuration file. Once you have the alias entered, click OK to save the change.
Perform the following show command to confirm that the device now appears in the configuration file. show user device 12. Go to User & Device > Device > Device Group. Note that your device is already a member of several predefined device groups. Click Create New and add a new device group called myDevGroup. Next, add myDevice to the Members list and click OK. Note that your device is still a member of the predefined groups and is now a member of the custom group myDevGroup. FOR REVIEW ONLY Module 3 Lab 3: Device Policies Exercise 1
P a g e | 44
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
13. From a DOS prompt on the virtual Windows host, open an FTP connection to: 10.200.1.254 Once you have connected, close the FTP connection. 14. Now add a sub-policy to your firewall device policy blocking FTP. Edit the device policy and create the following sub-policy:
Sub-policy 3:
Destination: LINUX_ETH1 Device: myDevGroup Schedule: always Service: FTP Action: Deny Log Violation Traffic: Enable Click OK. 15. Use drag-and-drop to reorder the sub-policies so that this policy is first in the list. 16. From your PC test that you can open an FTP connection to 10.200.1.254. You should observe that the connection now fails to establish.
View the traffic logs and find the deny entry. FOR REVIEW ONLY Module 4 Lab 1: User Authentication
P a g e | 45
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is to introduce students to user authentication management on the FortiGate unit. Create an identity-based policy Manage user authentication Estimated time to complete this lab: 20 minutes
FOR REVIEW ONLY Module 4 Lab 1: User Authentication Exercise 1
P a g e | 46
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module4\Student\student-auth.conf. The Student FortiGate device will reboot. 2. When the device has rebooted review the user configuration for this lab. Go to User & Device > User > User Definition to review the local user settings Go to User & Device > User Group > User to review the user group configuration. 3. On the virtual Windows Server desktop, open a web browser and connect to a new web site. At the login prompt, enter the following credentials:
Username: student Password: F0rtinet You should observe that after successful authentication, you are redirected to your destination web site. 4. From the GUI on the Student FortiGate device go to Policy > Policy > Policy and review the outgoing port3 port1 firewall policy with authentication configured. 5. Next, open a putty.exe session and try to ping or connect via SSH to 10.200.1.254. You should observe that using either of these tests will fail.
Even though there is an accept rule for this traffic, it is not being allowed. This highlights an important behavior of identity policies. The service becomes a permission and not a selector, therefore, in our example the identity policy matches all outgoing traffic regardless of service. The service is then allowed if it is set for the user. Since the Authentication policy matches the source IP and SSH is not an allowed service, the FortiGate will not look for another matching firewall policy. A policy has already been found and the traffic is not allowed through it.
There are two ways that you can use to correct this. You can either add ALL_ICMP and SSH to the identify policy rule for the training user group, or move the regular policy before the identity policy.
Using either one of these options, make your configuration change and retest using ping or by connecting through SSH. If using SSH, log in as root with the password: password. FOR REVIEW ONLY Module 4 Lab 1: User Authentication Exercise 1
P a g e | 47
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
6. Go to User & Device > Monitor > Firewall to view the details of the authenticated user along with the policy used to authenticate this user. 7. Next go to Log & Report > Event Log > User and locate the log messages for the firewall policy authentication events. The details for the entry are displayed in the lower pane of the Event Log window.
Notice that the users name student is now included in the log messages. 8. From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate unit with the following command: diag firewall auth list Clear all authenticated sessions with the following command: diag firewall auth clear
Caution: Be careful using this command on a live FortiGate system as it will clear ALL authenticated users
FOR REVIEW ONLY Module 5 Lab 1: SSL VPN
P a g e | 48
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to work with and manage user groups and portals for the SSL VPN. Configure and connect to an SSL VPN Enable various authentication security options Estimated time to complete this lab: 30 minutes
FOR REVIEW ONLY Module 5 Lab 1: SSL VPN Exercise 1
P a g e | 49
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module5\Student\student-ssl.conf. The Student FortiGate device will reboot. 2. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy > Policy > Policy and examine the port1port3 policy for SSL VPN. Note from the policy list that this policy has a sub-policy. Edit this policy to view its components. The settings are configured as follows:
Policy Type: VPN Policy Subtype: SSL-VPN Incoming Interface: port1 Remote Address: all Local Interface: port3 Local Protected Subnet: WIN2K3 SSL Client Certificate Restrictive: Disabled
The policy is incoming, that is from the external network to the internal network.
The policy subtype is SSL VPN which indicates further processing besides only accepting the traffic.
FOR REVIEW ONLY Module 5 Lab 1: SSL VPN Exercise 1
P a g e | 50
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
Under Configure SSL-VPN Authentication Rules, edit the first rule to view its contents. Notice that this allows users in the training group to access the web-access SSL-VPN portal.
You will notice that this rule contains many settings including Groups(s), User(s), Schedule, Service and SSL-VPN Portal. Select Cancel to close the edit window for this sub-policy.
In an upcoming exercise, we will be adding on to this policy to allow tunnel access. 3. To observe the effect of this policy you will now access the SSL VPN. On the virtual external Windows XP host desktop, open a web browser and access the SSL VPN by browsing to the following URL: https://10.200.1.1. Accept the security warnings for the self-signed certificate and log in using the following credentials:
Username: student Password: F0rtinet You should notice that you are successfully able to log in however, the web portal is currently in default settings. We will now configure the web-access portal which is selected in the SSL VPN policy. Log out and return to the virtual Windows Server host.
FOR REVIEW ONLY Module 5 Lab 1: SSL VPN Exercise 1
P a g e | 51
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
4. Go to VPN > SSL > Portal and from the drop-down list displayed in the top right hand corner, select web-access to edit this portal. Verify that Include Bookmarks is selected and then in the table shown, create the following bookmarks for the internal server. Bookmark for HTTP:
Category: Test Name: HTTP/HTTPS Type: HTTP/HTTPS Location: 10.0.1.10 Click OK.
Bookmark for RDP:
Category: Test Name: RDP Type: RDP Location: 10.0.1.10 Click OK. Modify the Portal Message with a message of your choice then click Apply to save all the changes. Select View Portal to review your changes. 5. Test the SSL VPN access again from the external Windows host (WINXP) by browsing to: https://10.200.1.1 You should now observe that you have two book marks listed.
FOR REVIEW ONLY Module 5 Lab 1: SSL VPN Exercise 1
P a g e | 52
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
6. Select the HTTP/HTTPS bookmark and examine the items listed below to understand how the web access functions. Note the URL of the web site in the browser address bar: https://10.200.1.1/proxy/http/10.0.1.10/ The first part of the address is the encrypted link to the FortiGate SSL VPN gateway: https://10.200.1.1/ The second part of the address is the instruction to use the SSL VPN HTTP proxy: .../proxy/http... The final part of the address is the destination of the connection from the HTTP proxy: .../10.0.1.10/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is in clear text. 7. Return to the virtual Windows Server device and from the GUI on the Student FortiGate device, go to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection. Note the User, Source IP and Begin Time. 8. Go to Log & Report > Event Log > VPN and view the corresponding log entry. Look for the SSL tunnel established message. 9. From the external Windows XP host, log out of the SSL VPN connection. Return to the log and look for the SSL tunnel shutdown message.
FOR REVIEW ONLY Module 5 Lab 1: SSL VPN Exercise 2
P a g e | 53
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
In this exercise you will edit the current SSL policy adding a new sub-rule for a second user configured for tunnel mode. 1. Edit the SSL VPN policy and under Configure SSL-VPN Authentication Rules, create a new sub-policy for a full-access portal using the following settings: Group(s): training Schedule: always SSL-VPN Portal: full-access After adding the sub-policy, click OK to save the changes. 2. To observe the effect of this sub-policy you will now access the SSL VPN again. From the virtual external Windows XP host desktop, open a web browser and access the SSL VPN by browsing to the following URL: https://10.200.1.1 When prompted, log in to the SSL VPN using the following credentials:
Username: student Password: F0rtinet 3. What do you see when you login? You should see the same portal as in the previous exercise. Why?
The training user group is associated with both sub-policies therefore the first one matching the web-access portal is applied.
You could move the rule so that the rule for the full-access portal is first in the list however, this will end up affecting all users in that group. Instead, edit the sub-rule created in step 1 above and set the user group to training2.
Click OK to save the rule settings, then click OK again to save the policy changes.
FOR REVIEW ONLY Module 5 Lab 1: SSL VPN Exercise 2
P a g e | 54
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
4. In the web browser on the virtual remote Windows XP host, connect to the SSL VPN portal once again using the URL: https://10.200.1.1. Note that you may need to clear the web browsers cache if the login window is not displayed.
This time, log in to the SSL VPN using the following credentials:
Username: student2 Password: F0rtinet2 You should now observe that the portal established is the full-access portal.
Note: If using the SSL VPN client available with FortiClient, you do not need to log in via the portal. 5. In the Tunnel Mode panel, click Connect. You should see a link status of UP and the bytes sent and received incrementing. 6. On the virtual remote Windows host, open a DOS command prompt and perform the following: ipconfig Note down your assigned IP address for reference.
Note that the fortissl adapter has an IP address. Where does this IP address come from? Display the routing information by entering the following command: route print Note the low metric routes and observe that there is a route to 10.0.1.10. Where did this come from?
Run a continuous ping to 10.0.1.10 as follows. ping t 10.0.1.10 7. From the GUI on the Student FortiGate device go to VPN > Monitor > SSL-VPN Monitor. The SSL-VPN Monitor displays the client connections and the IP allocated to the tunnel connection. 8. In the firewall policy list, examine the Count field to see the packets and bytes per policy. You may need to reposition this column accordingly for easier viewing. Notice that there is traffic associated with the incoming rule from the ssl.<vdom name> interface. This rule is created automatically. This traffic is the incoming traffic from your SSL VPN client.
Where does your assigned address come from? 9. Go VPN > SSL > Portal to access the SSL VPN portal configuration. Edit the full-access portal. FOR REVIEW ONLY Module 5 Lab 1: SSL VPN Exercise 2
P a g e | 55
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
Within the Enable Tunnel Mode options, note the IP Pool used which refers to a firewall address object. 10. Go to Firewall Objects to look up that firewall address object. What are the values of that object? The object defines an address range that matches your assigned address, so this is how IP addresses are configured and assigned to SSL VPN clients.
Where does the route to 10.0.1.10 come from?
HINT: In the policy list, look at the Destination address of the SSL VPN policy.
You will observe that the address object values for WIN2K3 are 10.0.1.10/32, so this is where the SSL VPN client route came from.
With this present configuration, the SSL VPN client is split tunneling. This means that only traffic to the specific destination behind the firewall is tunneled, and all other traffic goes to the default gateway.
What configuration change would you need to make to give the client a default route into the tunnel?
Disable split tunneling in the full-access portal which means a default route is pushed to the client forcing all traffic into the tunnel.
FOR REVIEW ONLY Module 6 Lab 1: IPSec VPN
P a g e | 56
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to configure an IPSec VPN on the FortiGate device using both interface-based and policy-based modes. Configure and implement interface and policy-based IPSec VPNs Demonstrate the differences between interface and policy-based VPNs Explain IPSec VPN configuration options Estimated time to complete this lab: 30 minutes FOR REVIEW ONLY Module 6 Lab 1: IPSec VPN Exercise 1
P a g e | 57
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you first will need to connect to the Student and Remote FortiGate devices and restore the configuration files that are needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module6\Student\student-ipsec.conf. The Student FortiGate device will reboot. Connect to the GUI on the Remote FortiGate device (10.200.3.1) and restore the following configuration file: Resources\Module6\Remote\remote-ipsec.conf. The Remote FortiGate device will reboot. 2. When the Student FortiGate device has rebooted, open a DOS command prompt from the virtual Windows Server and run a continuous ping to the remote Windows XP host as follows: ping -t 10.0.2.10 3. From the GUI on the Student FortiGate device, go to VPN > Monitor > IPsec Monitor and examine the tunnel status. You should observe a tunnel named remote with the destination 10.200.3.1 and the status is currently up. This is the tunnel that is established to the Remote FortiGate device. 4. From the Student FortiGate device review the firewall policy port3remote. View the Count column so that you can see the packets and bytes per policy. Observe that the counter is incrementing for the port3remote policy.
What is the interface remote?
Go to System > Network > Interface and note the blue arrow head associated with port1. If you expand this you will be able to see the remote interface and the type for this interface which is set to Tunnel Interface. 5. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase 2 IKE objects. Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec Interface Mode is selected.
These settings can also be viewed through the CLI as follows: conf vpn ipsec phase1-interface show
FOR REVIEW ONLY Module 6 Lab 1: IPSec VPN Exercise 1
P a g e | 58
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy. How is the traffic getting to this policy?
Traffic arrives at the FortiGate unit on the ingress interface. For new connections, a routing lookup is performed to select the egress interface and gateway, and then there is a lookup in the firewall policy to find a matching rule. It is the routing lookup that selects the egress, and therefore, the remote interface is selected in this case. So a route is driving the traffic to the IPsec interface. 6. Go to Router > Monitor and view the current routing table. You will observe a static route to the destination 10.0.2.0/24 pointing to the remote interface. This is an example of the route-based VPN configuration. The alternative is the policy base VPN which we will review next.
Generally, the route-based VPN is the preferred approach however there are a few exceptions where you would need to use the policy-based VPN. These will be discussed later. 7. Open a web browser on the Windows Server and connect to the GUI on the Remote FortiGate device. 8. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate device. You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up. This is the tunnel that is established to the Student FortiGate device. 9. Still on the Remote FortiGate device, go to System > Network > Interface and note there is no tunnel sub-interface for port4. 10. Go to Route > Monitor and view the current routing table. You will observe that there is no route to the 10.0.2.0/24 destination, there is only a default route. How is the traffic entering the tunnel then? 11. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24 (STUDENT INTERNAL) with action IPsec. Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to allow traffic inbound as well as outbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate device, a static route was sending traffic to the IPSec interface. Here there is no static route and the traffic is being sent to the tunnel using the policy subtype setting, hence policy-based.
The IPSec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel student. FOR REVIEW ONLY Module 6 Lab 1: IPSec VPN Exercise 1
P a g e | 59
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
12. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPSec configuration. Note the Phase 1 and Phase 2 IKE objects. These settings can also be viewed through the CLI: conf vpn ipsec phase1-interface conf vpn ipsec phase2-interface 13. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that IPSec Interface Mode is not selected. The Phase1 IKE object is the IPSec tunnel referenced in the IPSec firewall policy. Here we are using policy-based on the Remote FortiGate device and interface-based on the Student FortiGate device. The type we use is of local significance therefore we can mix them, as is the case in this example. 14. From the remote Windows XP host, attempt to run a continuous ping to: 10.0.1.10. You should observe this ping fails. Can you Identify why?
If the VPN is in Tunnel mode then only a single Firewall policy is used in order to allow and regulate incoming and outgoing traffic. However if the policy is in Interface mode then a VPN Firewall policy is separately needed to allow inbound and outbound communication.
In the Student FortiGate device we have only configured the outgoing policy and the VPN is in Interface mode. This is why the new incoming connection is dropped, there is no firewall policy to allow it. 15. Return to the Student FortiGate device and add the missing firewall policy. You should observe the ping now succeeds.
FOR REVIEW ONLY Module 7 Lab 1: Antivirus Scanning
P a g e | 60
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is to work with both flow-based and proxy-based Antivirus scanning. Configure flow-based and proxy-based antivirus scanning Test FortiGate unit AV scanning behavior Estimated time to complete this lab: 30 minutes
FOR REVIEW ONLY Module 7 Lab 1: Antivirus Scanning Exercise 1
P a g e | 61
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module7\Student\student-utm.conf. The Student FortiGate device will reboot. 2. When the FortiGate device has rebooted go to Security Profiles > AntiVirus > Profile and configure the default profile as follows to enable AV scanning on HTTP:
Inspection Mode: Proxy Virus Scan and Removal: Select HTTP and deselect all other settings Once the inspection settings have been entered click Apply to save the changes. 3. Go to Policy > Policy > Policy and edit the port3port1 policy. Turn ON AntiVirus and ensure that the default antivirus profile is selected. Once the profile is enabled on the policy click OK to apply the changes. 4. Next go to Policy > Policy > Proxy Options and examine the default proxy options that are shown. These settings determine how FortiOS handles each protocol. For example, which port numbers to use, whether to use client comforting, block oversized emails and so on. 5. Go to System > Config > Replacement Message. From the top right-hand corner select Extended View and under Security modify the Virus Block Page. The HTML editor that is displayed allows you to see the changes as you are making them. If you do not wish to use the standard block pages they can be edited and modified as the situation requires. Click Save shown above the editor window to apply any changes. 6. From the virtual Windows Server host, launch a web browser and access the following web site: http://eicar.org 7. On the Eicar web page, click Download ANTI MALWARE TESTFILE (located in the top right- hand corner of the page) and then click the Download link that appears on the left. Download the any of the eicar sample files from the section Download area using the standard HTTP protocol.
FOR REVIEW ONLY Module 7 Lab 1: Antivirus Scanning Exercise 1
P a g e | 62
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The download attempt will be blocked by the FortiGate unit and a replacement message will be displayed similar to the following (should also include any customization you made earlier):
The Eicar file is an industry-standard used to test antivirus detection. The file contains the following characters: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
8. The HTTP virus message is shown when infected files are blocked or have been quarantined. In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the detected virus. 9. From the GUI on Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and locate the antivirus event messages. In order to view summary information of the AV activity, add the Advanced Threat Protection Statistics widget to the Dashboard. 10. On the Eicar web page, click Download ANTI MALWARE TESTFILE and then click the Download link that appears on the left. This time, select the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. The download should be successful because we have not enabled SSL inspection. 11. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy > Policy > SSL/SSH Inspection and under SSL Inspection Options, ensure the protocol HTTPS on port 443 is enabled. Click Apply. 12. Next, go to Policy > Policy > Policy and edit the policy: port3port1. Under Security Profiles enable SSL/SSH Inspection by setting this to ON. Click OK.
FOR REVIEW ONLY Module 7 Lab 1: Antivirus Scanning Exercise 1
P a g e | 63
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
13. To ensure that there are no existing sessions prior to deep scanning the communication exchange, connect to the CLI of the Student FortiGate unit and enter the following command: diag sys session filter dport 443 diag sys session clear 14. Return to the Eicar web page and attempt to download the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. This time, the download will be blocked by the FortiGate unit and the replacement message will be displayed. If this is not the case, you may need to clear your recent browsing history as the object may be cached. In Firefox select History > Clear Recent History > Everything. 15. Go to Security Profiles > Antivirus > Profile and change the Inspection Mode for the default Antivirus Profile to Flow-based. Click Apply. Try downloading the eicar.com file again. What happens now when the virus is detected?
FOR REVIEW ONLY Module 8 Lab 1: Email Filtering
P a g e | 64
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to work with email filtering. Enable and use email filtering on a FortiGate unit Modify inspection rules to black or white list emails (using banned word, IP, email etc.) Read and interpret email log entries
Estimated time to complete this lab: 30 minutes FOR REVIEW ONLY Module 8 Lab 1: Email Filtering Exercise1
P a g e | 65
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you will first need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. This module uses the same config as in Module 7. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\ Module7\Student\student-utm.conf. The Student FortiGate device will reboot. 2. When the FortiGate device has rebooted go to System > Config > Features. Under Security Features turn ON Email Filtering. This step is required to enable the Email filtering feature on the FortiGate device. By default, this is a hidden security feature. Click Apply to save the changes. 3. Next, go to Security Profiles > Email Filter > Profile and edit the default email filtering profile. Select Enable Spam Detection and Filtering to enable it then click Apply. Configure the following settings: SMTP Spam Action: Tagged FortiGuard Spam Filtering: Enable IP Address Check Enable URL Check Once the changes to the email profile have been entered, click Apply to save the changes. 4. By default FortiGuard services are enabled. Go to System > Config > FortiGuard and check the status of the service. (If you are using the hosted virtual lab environment you will need to change the service port to UDP 8888). 5. Go to Policy > Policy > Policy and edit the port3port1 outgoing policy. Under Security Profiles, turn ON Email Filter and ensure that the default email filter profile is selected.
In the steps that follow, you will generate and send test spam emails to your Microsoft Outlook user@internal.lab inbox. In the classroom lab environment, you will initiate the spam generation using a script called smtpmboxgen.pl which is provided in the Resources\Module8 folder. Details for using this script will be provided in the steps that follow. 6. From the Windows server, open a command prompt and change directory to the C:\Documents and Settings\Administrator\Desktop\Resources\Module8 folder as follows: CD C:\Documents and Settings\Administrator\Desktop\Resources\Module8 Next run the spam script by entering the following: smtpmboxgen.pl 7. From your Microsoft Outlook mail client, check the email inbox to review the tagged spam. To view the corresponding logging events, go to Log & Report > Traffic Log > Forward Log.
FOR REVIEW ONLY Module 8 Lab 1: Email Filtering Exercise1
P a g e | 66
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
8. From the CLI on the Student FortiGate device, execute the following commands to enable Banned Word Check in the default email filter profile: config spamfilter profile edit "default" set spam-filtering enable set options bannedword spamfsip spamfsurl set spam-bword-table 1 end 9. Next, run the commands below to review the banned words that have already been configured for you in the configuration file being used for this lab. config spam bword show Notice the use of both regular expression and wild cards in that list. 10. Go to Security Profiles > Email Filter > Profile again and this time modify the default email filtering profile to set the SMTP Spam Action to Discard. 11. From your Microsoft Outlook mail client, generate a message to: test@gmail.com that will be caught by the banned words that have been configured. For example, add the word training to the subject or message body of your test email and attempt to send the message. When you send the email the following message displays indicating the message was blocked:
FOR REVIEW ONLY Module 8 Lab 1: Email Filtering Exercise1
P a g e | 67
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
Remember that some banned words apply only to the subject line, others apply only to the body and others apply to both. A banned word is only scored once, for example if a banned word has a score 10 and yet the word occurs four times in the message body, it will only still be assigned a count of 10. 12. Go to Log & Report > Security Log > Email Filter and check the email filtering log entries for this event as well. To make it easier to view all email activity, add the column Dst Port and filter on port 25.
FOR REVIEW ONLY Module 9 Lab 1: Web Filtering
P a g e | 68
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to configure web filtering to block specific categories of web content. The interaction of local categories and overrides will also be demonstrated. Enable and use web filtering on a FortiGate device Select the most effective method for blocking or allowing a web site Read and interpret web filter log entries
Estimated time to complete this lab: 30 minutes FOR REVIEW ONLY Module 9 Lab 1: Web Filtering Exercise 1
P a g e | 69
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you will first need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. This module uses the same config as in Module 7. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\ Module7\Student\student-utm.conf. The Student FortiGate device will reboot.
2. When the FortiGate device has rebooted go to System > Status and under License information check the FortiGuard Services Web Filtering status to ensure that the license has been validated. A green check mark should be displayed. 3. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter > Profile and review the settings of the default web filter profile. 4. Verify that the Inspection Mode is set to Proxy and enable FortiGuard Categories. Under FortiGuard Categories right-click the web category Potentially Liable and select the action: Authenticate.
Next, set Selected User Groups to the training user group and accept the default Warning Interval value of 5 minutes.
Click OK to save the settings. 5. Repeat the above step for the following web categories: Adult/Mature Content Security Risk Click OK to save the settings. 6. Next right-click the web category Bandwidth Consuming, and select Warning. Accept the default Warning Interval value of 5 minutes then click OK to save the settings. 7. Repeat the above step for the web category: Unrated. Right-click the web category General Interest Business and select Block. Click Apply to save your changes.
FOR REVIEW ONLY Module 9 Lab 1: Web Filtering Exercise 1
P a g e | 70
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
8. Go to Policy > Policy > Policy and edit the outing port3port1 policy. Under Security Profiles, turn on Web Filter and ensure that the default profile is selected. Next, turn ON SSL/SSH Inspection under Proxy Options and ensure the default profile is selected. Click OK to save the policy changes. 9. From the CLI on the Student FortiGate device, check the low-level status information of the web filtering service by entering the following command: diag debug rating The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate unit is using to send requests. Rating requests are only sent to the server on the top of the list in normal operation. Each server is probed for RTT every 2 minutes.
The diag debug rating flags indicate the server status as explained below: D indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before falling back to the other servers. I indicates the server to which the last INIT request was sent. F signifies the server has not responded to requests and is considered to have failed. T signifies server is currently being timed. 10. From a web browser on the virtual Windows Server, connect to a web site that is usually blocked by the training policy and verify that the blocked message is displayed. A FortiGuard replacement message should be displayed. 11. Go to System > Config > Replacement Message and under Security select FortiGuard Block Page and change the text of the block message to customize it. Click Save located in the upper-right hand corner of the edit pane to apply your changes. 12. Revisit the same web site and ensure that the customized FortiGuard Block Page Blocked message is displayed. You may need to clear your browsers cache or refresh the block page as the browser might take the information from its local cache.
FOR REVIEW ONLY Module 9 Lab 1: Web Filtering Exercise 1
P a g e | 71
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
13. Next, in the web browser, attempt to connect to a web site category with an Authenticate action. For example: A Web Page Blocked message is displayed again, this time with a Proceed button.
14. Click Proceed to view the Web Filter Block Override page. Enter the username student and the password F0rtinet and click Continue. The web page should now be displayed. 15. From the GUI on the Student FortiGate device, go Log & Report > Traffic Log > Forward Traffic and locate the log messages related to the web filtering activity. In the following step, you will configure an access quota for a couple of categories. Quotas allow access to web resources for a specified length of time. 16. Go to Security Profiles > Web Filter > Profile and edit the default web filter profile. 17. Expand Quota on Categories with Monitor, Warning and Authenticate Actions and click Create New to create new quotas. Select the categories (same as in Step 4) to be assigned quotas and set the quota time value to 5 minutes. Once you have altered the web filter profile, click OK then click Apply to save the profile settings. 18. From a web browser on the Windows Server, attempt to visit a blocked category web site again.
FOR REVIEW ONLY Module 9 Lab 1: Web Filtering Exercise 1
P a g e | 72
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
19. Click Proceed on the Web Page Blocked page. Authenticate on the Web Filter Block Override page using the username student and the password F0rtinet and click Continue. Once authenticated properly, the quota timer is initiated. 20. To view the quota timer value, enable the Security Profiles monitors through the CLI as follows: config sys global set gui-utm-monitor enable end then, go to Security Profiles > Monitor > FortiGuard Quota. If the FortiGuard Monitor is not displayed, you may need to clear the web browsers cache or refresh the page.
When the daily quota value is reached, the FortiGuard replacement message will be displayed again. 21. From the GUI on the Student FortiGate device go Log & Report > Traffic Log > Forward Traffic and locate the log messages related to the web filtering activity. 22. Edit the default web filter profile, expand Quota on Categories with Monitor, Warning and Authenticate Actions and delete the quotas on the selected categories. Click OK then click Apply to save the profile settings. 23. Still in the web filter profile and select flow-based. A notification is displayed as follows:
Click OK and then click Apply. 24. Test the behavior of the flow based inspection by connecting to a web site that is usually blocked. Check the log entry for this blocked request.
FOR REVIEW ONLY Module 10 Lab 1: Application Identification
P a g e | 73
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to use the application control feature to properly identify a given application. Configure application control in the student lab environment Read and understand application control logs Estimated time to complete this lab: 30 minutes
FOR REVIEW ONLY Module 10 Lab 1: Application Identification Exercise 1
P a g e | 74
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you will first need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. This module uses the same config as in Module 7. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\ Module10\Student\student-app.conf. The Student FortiGate device will reboot. 2. From the GUI on the Student FortiGate device, go to Security Profiles > Application Control > Application Sensor and review the default application control sensor.(Ensure you are selecting the sensor named default.) 3. On the Edit Application Sensor page, check the settings for the following rules: Application: Youtube Application: Myspace Check the Action setting for each filter. What are the expected actions of these sensors?
Traffic shaping is enabled for Youtube and these applications use a shared traffic shaper which is capped at 1 Mbps. Connections to Myspace are blocked.
Before proceeding ensure both of these signatures are located at the top of the list. Click Apply to save changes to the profile.
4. Go to Policy > Policy > Policy and edit the port3port1 policy. Ensure that Application Control is turned ON and that the default Application Control sensor is selected. Click OK. You will now test the application control configuration. From the virtual Windows Server, open a web browser and connect to YouTube.com. 5. On the YouTube web site, attempt to play a few videos. Check the traffic shaper monitor in Firewall Objects > Monitor > Traffic Shaper Monitor. 6. Next, enable the Security Profiles monitors through the CLI as follows: config sys global set gui-utm-monitor enable end then, check the Application monitor in Security Profiles > Monitor > Application Monitor. If the Application Monitor is not displayed, you may need to clear the web browsers cache or refresh the page.
FOR REVIEW ONLY Module 10 Lab 1: Application Identification Exercise 1
P a g e | 75
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
7. From the virtual Windows Server host, open a web browser and connect to Myspace.com. You should observe that you cannot connect to this site. 8. Go to Security Profiles > Application Control > Application Sensor and edit the default sensor again. Click Create New to add a new application filter and select Specify Applications. 9. In the search field shown above the Application Name column enter Facebook. From the results that display, select Facebook from the Application Name column. A window displays with a description of the application including popularity, and a reference link that you can click to obtain more rating information from the FortiGuard Center. Set Action to block and ensure that this new signature is place at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes. Test that this site is now blocked. Go to Log & Report > Traffic Log > Forward Traffic and view the log information to confirm that this action was correctly logged. The status of the connection should be displayed as deny. 10. From the web browser, and attempt to access the following web site: http://proxite.us On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click Go. You should observe this does allow some connectivity to the site. What action can be taken to stop this?
You can create a new rule in the sensor to block the Proxy category.
FOR REVIEW ONLY Module 10 Lab 2: Traffic Shaping
P a g e | 76
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is for students to work with the traffic shaping function of application control to limit a specific application. Students will complete the following tasks: Restrict YouTube video bandwidth Estimated time to complete this lab: 10 minutes FOR REVIEW ONLY Module 10 Lab 2: Traffic Shaping Exercise 1
P a g e | 77
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module10\Student\Student-app.conf The Student FortiGate device will reboot. 2. Go to Policy > Policy > Policy and edit the outbound port3 > port1 firewall policy. Set Application Control to ON and from the drop-down list select the monitor-p2p-and-media profile. Click OK to save the policy settings. 3. From a web browser on the virtual Windows Server host, connect to a Youtube web site and stream a random video. Go to Log & Report > Traffic Log > Forward Traffic and view the application control log entries that are generated. 4. From the GUI on the Student FortiGate device go to Firewall Objects > Traffic Shaper > Shared and create a new traffic shaper with the following details: Name : YouTube Maximum Bandwidth: 100
Note: The units are in kilobits per second. Take this into consideration when setting values, as typically bandwidth measurements are done in kilo bytes, or even larger units.
5. Go to Security Profiles > Application Control > Application Sensor and select the monitor- p2p-and-media application control profile from the drop-down list shown in the upper right- hand corner of the window. 6. Next, edit the sensor: ID2 (Video/Audio). If the ID column is not visible, modify the column settings to add it. Scroll to the bottom of the window, and set Action to Traffic Shaping. Enable both Forward and Reverse Direction Traffic Shaping and from the drop-down list, select the YouTube traffic shaper you created in the previous.
Once you have applied the YouTube shaper to both the normal and reverse direction for this signature, click OK then click Apply. 7. Clear the web browser cache and re-open it. Connect to the Youtube web site again and stream the same video. If you set the Shaper levels low enough the experience of playing the video will be very different.
Note: Only shared shapers are allowed, so the maximum value here would apply to everyone inside the network that was using the application (YouTube videos in this case). Keep this in mind when using this option.
FOR REVIEW ONLY Module 10 Lab 3: Selective Application Control P a g e | 78
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
The aim of this lab is to demonstrate how application control can be used to selectively block only specific features inside some network applications. Students will complete the following tasks: Block user attempts to edit any Wikipedia article, while allowing read-only access to that website. Estimated time to complete this lab: 10 minutes
FOR REVIEW ONLY Module 10 Lab 3: Selective Application Control Exercise 1 P a g e | 79
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. From the Windows Server, open a browser window and access: http://www.wikipedia.org
Search for and open any Wikipedia article. 2. Click on the Edit tab on the top of the page. This should open the Wikipedia editor feature that allows any user to modify articles. 3. From GUI on the Student FortiGate device, go to Security Profiles > Application Control > Application Sensor and select the monitor-p2p-and-media application control profile from the drop-down list shown in the upper right-hand corner of the window. 4. Click Create New to add a new application filter and select Specify Applications. 5. In the search field shown above the Application Name column enter Wikipedia. From the results displayed, select Wikipedia_Edit from the Application Name column. Set Action to block and ensure that this new signature is placed at the top of the list. Once you have added the filter to the profile, click Apply to save the changes 6. Clear the web browsers cache and access a different Wikipedia article. You should still have access to the Wikipedia document. Try to edit any article again. You should notice that this time you are not able to edit the article. FOR REVIEW ONLY Appendix A: Additional Resources
P a g e | 80
Course 201 Administration, Content Inspection and VPNs 01-50003-0201-20131018-D
1. Fortinet Documentation : http://docs.fortinet.com The documentation web site contains all Fortinet manuals, white papers and guides for Fortinet products. 2. Fortinet Knowledge Base: http://kb.fortinet.com This site is useful for finding working examples and tips for Fortinet products. 3. Fortinet Web Site: http://www.fortinet.com The Fortinet web site contains all hardware and product specifications. 4. FortiGuard Web Site: http://www.fortiguard.com This site is suitable for finding information about the FortiGuard Subscription Services. 5. FortiCare Web Site: https://support.fortinet.com The FortiCare web site is used to interface with Fortinet support, register devices you have purchased and download firmware updates. 6. Fortinet User Forums: http://support.fortinet.com/forum/ These are user-led and run forums that discuss many different topics surrounding the use of Fortinet devices. FOR REVIEW ONLY