Forti net Course 201

FCNSA- LAB GUIDE

Page 11
Lab 1 Initial Setup
Objectives
This lab will guide the student through the basic setup of the FortiGate unit and
provide an initial orientation to the CLI and Web Config.
Tasks
In this lab, the following tasks will be completed:
Exercise 1 Connecting the FortiGate unit
Exercise 2 Accessing the Command Line Interface (CLI)
Exercise 3 Accessing FortiGate Web Config
Exercise 4 Configuring Network Connectivity
Exercise 5 Exploring the CLI
Exercise 6 Configuring Global System Settings
Exercise 7 Configuring Administrative Users
Timing
Estimated time to complete this lab: 55 minutes
Exercise 1
Connecting the FortiGate unit
Page 12
1. Plug the Internet connection into the wan 1 port on the FortiGate unit. Verify that the WAN1 LED
indicators on the front of the device (Link/Activity and 1011 00) are green.
2. Connect the PC's network cable into the interna/1 interface of the FortiGate unit and make sure the
corresponding INTERNAL LED indicators are green- This step is done in our setup!!
3.Access the wireless network 'NetworkY' using the key 'networkY!$' and connect the FortiGate 51 B by
tel net to 192.168.1 OY.254 using ad min I netsafeY!$ as credentials.
Note: Use an IP address of 192.168.10Y.X/24.
Page 13
Note: In all labs, substitute Y with the number assigned by the instructor- it will be group/network number. X
represents the student number- as agreed at the beginning of the course.
Note: In the classroom lab environment, all addresses used are private addresses as outlined in RFC1918. The
want Internet subnet is actually a private address subnet and cannot be used in a real-world situation.
Note: The internal interface on a FortiGate unit is a multi-port switching hub port with auto-MDX sensing so either a
straight or cross-over cable can be used.
Exercise 2
Accessing the Command Line Interface (CLI)
1.When setting up a new FortiGate unit, establishing the connection to the CLI is
generally the first step, even if many of the configuration changes are performed in Web Config.
Use a serial cable to connect the serial port on the PC to the FortiGate console port that is located on the
back of the device.
If the PC is not equipped with a serial port, a USB to serial adapter (purchased separately) can be used to
connect the PC to the FortiGate device.
2 .Start a terminal emulation program on the PC to connect to the FortiGate unit
(such as Windows HyperTerminal or TeraTerm). The serial connection settings required are:
9600 bps
8 bit data
no parity
1 stop bit
no flow control
3 .At the FortiGate CLI login prompt, log in with username of admin (all lowercase) . The default password
on the device is blank.
4. Log in to the CLI once again and type the following command to display status
information about the FortiGate unit:
get s ys tem status
The output displays the FortiGate unit serial number, firmware build, operational mode, and additional
settings.
Confirm that the firmware build on the FortiGate unit is 4.00 MR2, the required version for this course.
5 .Type the following command to see a full list of accepted objects for the ge t
command:
get ?
Depending on objects and branches used with this command, there may be
other sub-keywords and additional parameters to enter.
6 .Press the "up arrow" key to display the previous get system status command and
try some of the control key sequences that are summarized below.
Previous command "up arrow" or CTRL+P
Next command "down arrow", or CTRL+N
Beginning of line CTRL +A
End of line CTRL +E
Back one word CTRL +B
Forward one word CTRL +F
Delete current charact er CTRL+D
Abort command and exit branch CTRL +C
Page 14
CTRL +C is context sensitive and in general , aborts the current command and moves up to the previous
command branch level. If already at the root branch level , CTRL +C will force a logout of the current
session and another login will be required.
7 .Type the following command and press the <tab> key 2 or 3 times.
e xe cute <tab>
The command displays the list of available system util ity commands one at a
time each time the <tab> key is pressed.
Note : Log back into the CLI if the admin login timeout has elapsed
8 .Type the following command to see the entire list of execute commands:
exe c ute ?
9 .Enter the fol lowing CLI commands and compare the available keywords for
each one:
config ?
show ?
These two commands are closely related.
c onf ig begins the configuration mode while show displays the configuration. The only difference is
show full - con f i gurati on. The default behavior of the show command is to only display the
differences from the factory-default configuration.
10.Enter the following CLI commands to display the FortiGate unit's internal interface configuration
settings and compare the output for each of them:
show system interface internal
show full - conf igur at i on system inte r face internal
Only the first few characters need to be typed, optionally fol lowed by <tab>, to complete the command
key word. Use this technique to reduce the number of keystrokes to enter information. CLI commands
can be entered in an abbreviated form as long as enough characters are entered to
ensure the uniqueness of the command keyword.
11 .Enter the CLI command below to display the factory set I P address of the
FortiGate's internal interface.
show system i nterface internal
The internal interface's IP address is 192 . 168 . lOY . 254. This address will be used later for
HTTP/HTTPS administrative access to the FortiGate device.
Exercise 3
Accessing FortiGate Web Config
Page \5
To access Web Config using a standard Web browser, ensure that cookies and Javascript are enabled
for proper rendering and display of the graphical user interface.
1 .Ensure that the IP addressing mode on the PC is set to static IP address . Use an IP address in
192.168.1 OY.X /24 format with a gateway of 192.168.1 OY.254 .
2 .Verify the PC settings using the ipconfig command from the Windows command prompt. The default
gateway corresponds to the IP address of the internal interface on the FortiGate unit
(1 92 .1 68 . 10Y.254 ).
3.0pen a web browser and type the following address to access the FortiGate Web Config interface.
https : //192 . 168 .1 0Y . 254
Accept the self-signed certificate or security exemption if a security alert appears. HTTPS is the
recommended protocol for administrative access to the FortiGate unit. Other available protocols include
SSH, ping, SNMP, HTTP, and Telnet.
4 .At the login screen, enter the username of admin and the password netsafeY!$. Click Login.
5 .The Dashboard is displayed after a successful login. Before continuing with
the rest of the initial configuration, explore the Dashboard page and find the following information:
Current Firmware Version
Date and Time
Serial Number
Operation Mode
Other system details found on the Dashboard include the current CPU and memory usage, number of
active sessions, alert messages, number of administrative users, and FortiGuard Services status.
6 .To avoid Web Config timeouts during the lab exercises, increase the idle timeout. Go to System>
Admin> Settings. Increase the Idle Timeout to 60 minutes.
Leave all other settings unchanged. Click Apply to save the changes.
7 .Before proceeding to the next exercise, ensure that the FortiGate unit is
running the correct version of FortiOS firmware (FortiOS version 4.0 MR2) .
Note: If are not running the correct version, click Update for Firmware version on the Dashboard and browse to the
firmware file available from the Fortinet Support site with a valid service contract.
Pag e 16
Exercise 4
Configuring Network Connectivity
The FortiGate unit's wan1 interface settings must be configured using one of the following addressing
modes: DHCP, Manual (Static IP), or PPPoE.
Complete the steps for the configuration that applies to the Internet setup on the computer being used
to complete the exercise.
If the network setup supports DHCP, complete the section Configuring the wan 1 Interface Using DHCP.
If using PPPoE, complete the section Configuring the wan1 Interface Using PPPoE.
If using static IP addresses, complete the section Configuring the wan1 interface Using Manual
Assignments. (The lab setup supports manual assignment only- configure the WAN1 interface as below)
Configuring the wan1 Interface Using Manual Assignments
If the Internet setup on the student PC uses manuaiiP assignments, complete the steps below for the
wan1 network configuration.
1. In Web Config, go to System > Network> Interface tab. Select the wan1 interface and click Edit .
On the Edit Interface page, configure the following settings:
Addressing mode Manual
IP/Netmask Enter the IP address and netmask (as provided by a network administrator).
For example:
192 . 168 . 2 . 10Y/255 . 255 . 255 . 0
Administrative access HTTPS
Click Apply.
2 .Click the Options tab to open Networking Options. In the Primary DNS Server field, enter the IP
address of the DNS server given by the network administrator.( Use 4.2.2.2 )
If a second DNS server is available, enter its IP address in the Secondary DNS Serverfield. (Use 4.2.2.3)
Click OK.
Note: Configuration changes get saved to the non-volatile flash memory when clicking OK in Web Config or when
next or e nd is entered on the CLI. No explicit save command is required. For CLI configuration only, this behavior
can be changed to require an explicit save or to revert after a set period if an explicit save is not performed.
con fig syst em g loba l
s et c f g - save <automatic/ma nual/ r eve r t >
set c f g - r evert - timeout <600> (in seconds, only when cfg-save is revert)
3 .Go to the Router> Static > Static Route and click Create New to define a new static route entry for the
default gateway.
In the New Static Route window, leave the Destination/ IP Mask settings at the default setting
0 . 0 . 0 . 0/0 . 0 . 0 . 0.
Page 17
Select the the wan1 device from the list and enter the IP address for Gatewayas the default gateway
device as provided by a network administrator (192.168.2.254) .
Leave the distance to the default of 10.
Click OK.
4 .From the CLI , type the following commands to view the interface settings for wan1:
config syst em interface
edit wanl
get
end
S.ln a DOS command prompt window use the nslookup command to verify
the IP address of a web site. For example:
nslookup www . fortinet . com
6. Ping the IP address displayed through the command above using the following
command in the CLI :
exec pi ng <I P addr es s of web site>
7.To secure the wan2 interface from accidental usage, remove the IP address
and administratively disable this port. The IP address can only be unset from the CLI .
In the CLI , enter the following commands below to disable and clear the IP address of the wan2 interface:
config system interface
edit wan2
set status down
end
8. In Web Config, go to System >Network> Interface. Note that the interface list
will now display wan2 with a disabled status icon (red dot with "down arrow"). A display refresh may
be needed to see the new status information.
9 .Enter the following commands to adjust the DHCP settings for the internal DHCP server on each of the
two units.
conf i g system dhcp server
edit 1
set default - gateway 192 . 168 . 10Y . 254
s ~ t dns - serverl 4 . 2.2.2
set dns - server2 4.2 . 2 . 1
set netmask 255 . 255 . 255 . 0
set interface internal
config ip- range
edit 1
set end- ip 192 . 168 . 10Y.220
set start - ip 192 .168.10Y . ll0
next
end
end
10. Enter the following CLI commands to modify the settings on the internal interface on the Forti Gate
unit:
config system interface
edit internal
set allowaccess http https ping ssh telnet
end
exit //to exit FG CLI
Pa ge 18
On the student PC, adjust the network settings to obtain an IP address automatically through DHCP and
renew the IP address using the ipconfig /release and i pcon fig /renew commands from
the DOS command prompt.
To view the configuration of the configured DHCP server go to System > OHCP Server> Service. Select
the internal DHCP server and click Edit or double-click the entry to view the settings for the pre-defined
DHCP server.
Note : The DHCP leases are preserved even when the Fortigate unit is rebooted. To clear all DHCP leases,
disable and then re-enable the specific DHCP server.
11.To view the DHCP address leases, go to System > OHCP Server> Address Leases and locate the
entry for the PC in the displayed list. As new PCs are connected to the trusted internal subnet, a list of all
the DHCP address leases that have been assigned will be displayed.
Exercise 5
Exploring the CLI
1.To view the configuration of the FortiGate interfaces through the CLI , type the
following command:
show s ystem interface
2 .To see verbose settings, type the following command:
show f ul l - conf iguration
3 .To view additional parameters for all interfaces, type the following command:
get system interface
Compare the get command output with the output from the show command. The information from
each is similar: get displays all settings and values, while show gives the syntax for the configuration.
4 .The FortiGate CLI is hierarchical, which means that some commands are only
applicable at a certain level or context. To demonstrate the hierarchy, modify the wan1 interface to add
additional administrative access to assist with troubleshooting during initial deployment. To add SSH
access on the wan1 interface, type the following CLI commands:
c onfig s ys tem interface
edit wanl
set allowaccess https ping ssh
next
end
5 .Verify the changes by typing the following command:
show syst em interface wan l
6 .Display the configuration of the DHCP server that provides I P addresses to the
PCs connected to the internal interface with the following commands:
show system dhcp server or show full system dhcp server
get system dhcp server
7 .To inspect the DHCP leases in the CLI for the addresses distributed by the
internal interface DHCP server, type the following command:
exec dhcp lease-list
Page 19
Other available DHCP CLI commands are listed below. Please do not run these commands at this
time.
DHCP leases can be cleared with the following command:
exec dhcp lease-clear
DHCP leases can be refreshed with the following command:
exec interface dhcpclient-renew <interface name>
Exercise 6
Configuring Global System Settings
1.1n Web Config, go to System > Network> Options. Modify the following ONS
Settings:
Primary DNS Server 4.2.2.1
Secondary DNS Server 4.2.2.2
Click Apply.
Note: For FortiGate 200A models and higher, the Primary ONS and Secondary ONS servers can only be configured
manually. The factory defaults are set to Fortinet maintained DNS forwarders 208. 91. 112.53 and
208.91.112.52 respectively.
2 .Compare the output for the following DNS CLI commands:
show system dns
get system dns
The output should correspond to the changes made in Step 1.
3 .For logging purposes, as well as to optimize FortiGuard updates, the FortiGate unit should be set to the
correct time zone and NTP server synchronization should be enabled. Go to System >Dashboard>
Status. In the System Information widget, click the [Change] link for System Time. Select the appropriate
Time Zone.
Enable Automatically adjust clock for daylight savings changes if required in the local area.
Enable Synchronize with NTP Server. By default, pool. ntp. org will be used, or a local NTP server
can be used if available.
Click OK.
Pa ge 110
4.Display the current system time from the CLI by typing the following command:
execu t e time
Type e xe c time ? to view the syntax to set the system time manually.
S.Verify that the date setting is correct by typing the following CLI command:
e xe c date
6.1n the System Information widget, click the [Change] link for Host Name and change the hostname of
the FortiGate unit to NetworkY. Click OK.
The new hostname will appear in the browser title bar at the next login or when the page is refreshed.
7.View the CLI equivalent commands for all the system settings configured in the above steps by typing
the following command:
s how sys t em gl obal
Exercise 7
Configuri ng Admi nistrative Users
1 .Go to System >Admin > Administrators to view the list of current administrators.
Click to select the default admin administrator and click Edit ( ) or doubleclick the entry in the list. The
factory default Trusted Host setting of o . 0 . o . 0 I 0 allows connections from any host address.
Click Cancel to close the Edit Administrator page.
2.Ciick to select the default admin administrator and click Change Pasword ( )
The password for the admin account is netsafe Y!$, set the password to forti net.
To save the changes, click OK.
3.Log back into Web Config using the new admin password.
4.To enhance administrative security, create a new administrator account that will be used for day-to-day
administration of the FortiGate device and restrict the source IP connection with Trusted Hosts.
Go to System >Admin > Administrators. Click Create New to assign a new administrator with the
following settings:
Administrator adminX
Type Regular
Password fortinetX
Trusted Host#1 192 . 168 . 10Y.0/2 4
Admin Profile super_admin
Click OK to save the changes.
Note: Ping requests to this device are also restricted by the trusted host setting of the
administrator account.
5. Go to System > Admin > Admin Profile Click Create New to define a new
Page Ill
admin profile called content-control as in the New Admin Profile window illustrated below. Limiting
access only to the areas affecting content inspection helps to eliminate accidental errors that could
adversely affect connectivity.
(jl -Q Dashboard
!l![ Network
Profile Name:
ci:J i;D DHCP Server
$ tiii Config
Access Control 0 None 0 Read Only 0 Read-Write
Bl$ Admin
Administrators

@ Central Management
- @ Settings
ffi-[gj Certificates
!J Maintenance
Click OK



System Configuration
Network Configuration
Admin Users
FortiGuard Update
Maintenance
Router Configuration
Firewall Configuration
UTM Configuration
VPN Configuration
Auth Users
WAN Opt & Cache
Endpoint NAC
Log & Report
0 0
()
0 0 0
0 0 0
0 0

0 0 0
0
@
0
0 0 G
0 0
, ....
\,_/
0 "'
<.!J v
0 0 0
()
0 0
0 0
'-!i
()
0 0
. ._.j h:_ .. ..
6 .Go to System >Admin >Administrators and create a new administrative account that uses the new
content-control admin profile. Configure the new administrator account using the following settings:
Click OK.
Administrator cadminX
Type Regular
Password 123456
Trusted Host #1 192.168 . lOY. 0/24
Admin Profile content-control
7 .To view the CLI configuration for administrative users and profiles, type the
following commands:
show system admin
show system accprofile
8 .Test the new administrative access login by logging out of the current Web
Config session and logging in again as the new cadmin user. Try to access areas set to read only, for
example, go to System> Network >Interface.
The data will be able to be viewed but not edited.
The Trusted Host setting configured for adminX and cadminX will only allow
access to PCs connected to the internal 19 2 . 168 . 1 o Y. o /2 4 subnet even if the
correct password is entered.
Lab 2 Logging and Monitoring
Objectives
In this exercise, system event logging will be configured.
Tasks
In this lab, you will complete the following tasks:
Exercise 1 Exploring Web Config Monitoring
Exercise 2 Configuring System Event Logging
Exercise 3 Exploring the FortiAnalyzer Interface
Exercise 4 Configuring Email Alerts (Optional)
Timing
Estimated time to complete this lab: 35 minutes
Exercise 1
Exploring Web Config Monitoring
1.Log in to Web Config on the FortiGate unit as admin. Go to System >
Dashboard > Status.
2 .Locate the System Resources widget. Verify the CPU Usage and Memory
Usage status dials.
3.Hover the mouse pointer over the System Resources title bar and click History.
4.A pop-up window appears showing a trace of past CPU usage, memory usage,
Page 112
session, network utilization, virus, and intrusion history. In the System Resource History graph window,
the time interval represented by each horizontal grid square can be selected from the pull-down menu to
the right of Time Interval. The refresh rate of this window is automatically set to 1 /20th of the time interval.
Click close
S.The Alert Message Console widget displays recent critical system events, such
as system restart and firmware upgrade. Hover over the Alert Message Console title bar and click the
History icon to view a pop-up window that displays the entire message list.
Click Close.
Page 113
6. Log and DLP archive statistics are shown in the Log and Archive Statistics widget. Since there will
have been little or no traffic through the FortiGate unit and no content inspection configured, theDLP
Archive and Log statistics will be uninteresting at this time.
The Reset link in the top-right of the Statistics box will clear the current statistics counts.
HTTP 0 URL; visited
HTTPS 0 URLs visited
Emai l 0 em ails sent
Q emails received
FTP 0 UR.ls 'lisited
0 f iles up I oa ded
0 files
I f\'1 0 file transfers
0 chat sessions
0 messages
Total 0 B s ince last reset
log -- Average 9 KB (49 me;;;, ge ,;) per day since Ia st reset
Traffic 0 traffic allowed
0 traffic violated
fW 0 'liruses caught
IPS 0 attacks detected
E rnail 0 sparn s detected
Web 0 URLs blocked
DLP 0 data l oss detected
Application Control 0 applicat ion control mess ages
Event 105 events occur r ed
Total 19 KB (105 messages ) since last reset
[Detail;]
[Detai ls]
[Detail s]
[Detai ls]
[Detai ls]
[Det.:;ils]
[ Detai ls]
[Details]
[Det.oi l:,]
[Detai ls]
[Details]
[Detail,;]
[Detai l s]
7 .There will already be a number of sessions recorded by the FortiGate unit. Click the Details link on the
Top Session widget to display more information about the sessions or click each graphical bar
representing sessions per I P address.
Test the function of the various icons in this window. There are icons for display refresh, page forward
and back, column display filters, as well as clear session.
Identify the Web Admin sessions in the Session table display by looking for the TCP sessions from the
PC IP address to the IP address of the internal interface of the FortiGate unit.
Click Return to re-display the graphical view of the Top Sessions widget.
8.Some widgets are not displayed by default. Add them to the dashboard by clicking Widgets and
selecting from the pop-up window.
Exercise 2
Configuring System Event Logging
P a ge 114
1.Go to Log&Report > Log Config > Log Setting. Expand Remote Logging & Archiving and click to enable
FortiAna/yzer.
Apply the following settings:
IPAddress 1 92 . 168 . 2.25
Minimum log level Information
Note: Depending on the location of class, the instructor may direct students to a
FortiAnalyzer unit at a different address.
Click Apply.
For initial testing purposes, the log level is set to the lowest and most verbose level , Information. In actual
deployments, the level would more likely be set to Warning or Notification.
Automatic discovery of a FortiAnalyzer unit with the Fortinet Discovery Protocol is only applicable when
the FortiGate unit and the FortiAnalyzer unit are on the same broadcast domain (subnet). This would be a
rare situation in an actual network but appropriate for a FortiGate 5000 series chassis when a
FortiAnalyzer blade is used.
2.1n Remote Logging & Archiving, click Test Connectivity to register with the FortiAnalyzer device. A pop-
up window displays to indicate a successful connection and registration process.
The FortiAnalyzer unit being used is configured to automatically accept and register all new FortiGate
device connections. Alternate settings are to register only (and ignore logging messages) or ignore
(manual registration) .
In an actual scenario, there would be additional configuration required at the FortiAnalyzer end to permit
the necessary connection for manual device registration.
Click Close to exit from the FortiAnalyzer Connection Summary window.
3. While still in the Log Settings window, expand Local Logging & Archiving and confirm that Disk logging
is enabled and that the Minimum log level is set to Information. If using a FortiGate device without a local
hard drive, enable Memory logging instead.
4.0n the Log&Report > Log Config > Event Log page, click Enable and select all events.
Click Apply to save the changes.
The CLI settings for the logging destinations can be displayed with the following commands:
get log <destination> setting
get log <destination> filter
Substitute <dest i nat ion> with either for t ianal y zer , disk or memo r y.
Note: There are different logging capabilities, depending on the destination. The keywords may also differ.
S.Test the logging setup with some simulated log messages sent to the logging destinations using the
following CLI command:
d iagnose log test
Page 115
6. Go to Log&Report > Log Access. Select each log type from the Log Access menu item one at a time.
Click Disk from the Log Access pages to view the entries for the test messages.
Exercise 3
Exploring the FortiAnalyzer Interface
1.Connect to a FortiAnalyzer by typing the following address in a web browser:
https : //192 . 168 . 2 . 25
Accept the self-signed certificate messages if they are displayed. Log in with the username admin and the
password netsafe 1 !$.
After a successful login, the FortiAnalyzer Dashboard displays.
2 .In the FortiAnalyzer Web Config, go to Log&Archive >Log Browse> Log Browse. In the Log
Browse window, expand No Group and expand the name of the student FortiGate device to verify that log
messages are being received by the FortiAnalyzer unit. FortiGate device names are displayed as
HostName(SeriaiNumber).
3.Expand a category in the list. Click Show Log File Names and the names of the log files will display.
Select one of the log files and click Display ( ) to show the log entries in the file.
The log message view is pre-formatted to show selected items in columns. The messages are color-
coded according to severity level.
4. Explore the log message display features in the Log Browse window. Click the Change Display Options
link and click Raw to view the logs entries in raw format.
5.Log out of the FortiAnalyzer device.
Exercise 4
Configuring Email Alerts (Optional)
This exercise can only be completed if an online email account is available to test with.
1 .The FortiGate unit will be configured to send alert mail to a test mail account. In Web Config on the
FortiGate unit, go to Log&Report >Log Config >Alert Email and use the following settings to omplete the
Alert E-mail configuration:
SMTP server
Email from
Email to
Type the name or IP address of an online email account server.
Type the sender's email address.
Type the destination email address.
Page 116
Authentication Enable if the email server requires authentication and enter the
sender's email address and account password.
Interval Time 1 minute
Send alert mail for the following Select Intrusion detected and Virus detected.
Send alert emai l for logs based on severity Enable and select the Alert level from the minimum log
level list.
Click Apply to save the settings.
2. Click Test Connectivity. Test messages will be sent to the email account.
3.0pen the email client application and confirm that the test messages have been received. Alert emails
can be sent based on selected event categories or simply on a log message threshold level. If a threshold
level is used, the CLI contains additional interval hold-off timers for log levels above the selected
threshold level.
Check the following CLI commands for the Alert Email configuration:
show system alertemail
show alert email setting
Note: If the FortiGate unit collects more than one log message before an interval is reached, it combines the
messages and sends out one alert email.
Page 117
Lab 3 Firewall Policies
Objectives
In this lab, firewall policy objects will be created and a new policy will be configured and tested.
Tasks
In this lab, you will complete the following tasks:
Exercise 1 Creating Firewall Policy Objects
Exercise 2 Creating Firewall Policies
Exercise 3 Testing Firewall Policies
Exercise 4 Configuring Virtual IP Access
Exercise 5 Debug Flow
Timing
Estimated time to complete this lab: 45 minutes
Exercise 1
Creating Firewall Policy Objects
1 .In Web Config, go to Firewall> Address >Address. Click Create New and configure a new address
object for the internal subnet IP using the following settings:
Address Name all-deptX
Type Subnet/IP Range
Subnet/IP Range 192.168.1 OY. 0/24
Interface Internal
Click OK to save.
2 .Work in 2 groups- delegate someone from your group to do this step and the one at point 3 :
--- ------- - ---------------------------...
Page j18
Go to Firewall > Service > Group. Click Create New to configure a new group with the services shown
below.
To select the services for the web group, click the green arrows to move them between the Available
Services and Members lists:
Group Name web
Members DNS, HTTP, HTTPS, PING
Click OK to save the change.
3.Go to Firewall> Schedule> Recurring. Click Create New to configure a new recurring schedule using
the following parameters:
Name office_hours
Day Monday to Friday
Start Hour: 08
Minute: 00
Stop Hour: 20
Minute: 00
Click OK.
Note: When using schedules, make sure that the system time is at the correct local setting. From the CLI type the
exe c time command or go to System > Dashboard >Status in Web Config and view the System Information
widget.
Exercise 2
Creating Firewall Policies
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall , therefore, a
firewall pol icy only needs to be created for the direction of the originating traffic.
1.Go to Firewall > Policy> Policy, expand the internal-> wan 1 interface list.
Select the default policy and click Edit (or double-click the entry) to view the factory settings. Click Cancer
to return to the Policy List.
2. Disable this unrestricted policy by unchecking the internal-> wan1 policy in the
Status column.
Note: It is useful to keep the default internal-> wan1 policy available for testing purposes since it will allow all traffic
types from any address to any address to pass through the FortiGate device.
3 .Create a new firewall policy that will be used to provide general Internet access. Go to Firewall> Policy
> Policy. Click Create New and configure the following settings:
Source Interface/Zone internal
Source Address all-deptX
Destination Interface/Zone wan1
Destination Address all
Schedule office hours
Service web
Action ACCEPT
Log Allowed Traffic Enabled
Enable NAT Enabled
Comments General Internet access
Click OK after entering all the parameters.
Page 119
This new all-dept policy will be displayed in the section view of the Policy List under internal-> wan 1.
C>ntral NO.T Table
DJS Poli ct
,- - SniffAr Pnli r.y
Protocol Opti ons

Schedule
Traffic Shaper
<ll-113 Vi rtual IP
lil-W Loaj
5 .All policies will be listed in Policy section once created. You can add count in column settings in order
to see RX and TX traffic matched by each student policy(generate Internet traffic in order to see the
changes). Try to enable and move(select the policy and use the Move button) the general internal-all to
wan1-all policy before the students policy (in the top of the list) .
In the Move Policy window, click Before and type the Policy 10 of the general Internet policy and click OK.
The re-ordered policy list will be displayed. You can check that the general policy will match all students
traffic(check counters by refreshing the policy widget) .
G.View the CLI configuration for the firewall policies created above:
s how f i r ewa l l pol i cy
View the CLI configuration for a single firewall policy:
s how firewall pol i cy <I D>
Obtain the 10 number of the policy from the s how f i r ewall pol i cy output used above.
Important Points For Firewall Policy Configuration
P a ge I 20
Policies are organized according to the direction of traffic from the originator of a request to the receiver
of the request. Return traffic is automatically allowed back through due to the stateful nature of the
FortiGate device.
Policies are matched to traffic in the order they appear in the policy list rather than by 10 number.
Policies should be listed from most exclusive to most inclusive so that the proper policies are matched.
Matching is based on Source, Destination, Schedule, and Service settings.
Exercise 3
Testing Firewall Policies
1. Open a web browser and browse to a valid web site.
2.Go to System > Dashboard> Status. In the Top Sessions pane, click the bar on the chart for the
student IP address to view the session details. (If this widget is not visible, click Widget> Top Sessions.)
Locate the IP address for the student computer and HTTP port (TCP/80) and check the policy 10 column.
Use the column filters to reduce the number of session entries displayed to TCP only.
Note: Be mindful of testing the firewall policy schedule outside of the specified hours.
3.Check the traffic log at Log&Report >Log Access> Traffic to see evidence of the FortiGate action,
including the 10 of the policy being used.
4.Change the action for the policies to Deny and ensure that Log Violation Traffic is enabled.
5.Visit another web site. Access should be denied.
6 .Return to the traffic log at Log&Report >Log Access > Traffic to see evidence of the traffic violation.
7.Set the policy actions back to Accept.
8 .*IMPORTANT** Before proceeding to the next exercise, go to Firewall> Policy> Policy and re-enable
the unrestricted policy by checking the policy in the Status column of the firewall Policy List.
Exercise 4
Configuring Virtual IP Access
1.Delegate someone from you team to do the steps from point 1 and point 3
A virtual IP that uses port forwarding will be created to make the Fortinet web server appear as if it was
on the local subnet and not on a non-standard port.
Go to Firewall> VirtuaiiP > VirtuaiiP. Click Create New and configure the virtuaiiP mapping as shown
below.
Use nslookup to verify the address for www. fortinet . com.
Name special-web
--------------------------------------------
External Interface
Type
External IP Address
Mapped IP Address
Port Forwarding
Protocol
External Service Port
Map to Port
internal
Static NAT
192 . 168.10Y.209
Enter the IP address of www . fortinet. com
Enable
TCP
8088
80
Click OK to save the changes.
2. To view the VIP settings through the CLI, enter the following command:
show firewall v ip
P a g I 21
3.Create a new firewall policy to provide a guest PC access to the web server with the following settings:
Source Interface I Zone
Source Address Name
Destination Interface I Zone
Destination Address Name
Schedule
Service
Action
Log Allowed Traffic
Enable NAT
Comment
Click OK.
internal
Any
wan1
special-web
office hours
ANY
ACCEPT
Enabled
Enabled
Guest PC access to web server
Note: The Service setting for this policy is ANY. Due to the VIP port mapping, only the
configured ports will be allowed so it is unnecessary to further restrict traffic with the
Service setting.
4 .Position this policy at the top of the internal -> wan1 list as it has a narrower scope compared to the
other policies.
Note: This guest PC would need to be further secured by limiting the user access to only the web
browser and removing administrative access and the ability to run other programs. These additional
measures are operating-system dependent
5 .In a new web browser window, access the following URL:
htt p: //192 .168.10Y. 209 : 8 08 8
If the special-web virtuaiiP operation is successful, the Fortinet web page displays.
G. Try to access the following URL using the regular HTTP port of 80:
ht t p : //192.168 . 10Y . 209
There should be no response.
- -- - M -- ---
Page I 22
7.To view the source and destination NAT mappings, enter the following CLI command:
get system s es sion l ist
Exercise 5
Debug Flow
1 .From the CLI , type the following command to clear the session table:
diag sys session clear
If connecting to the CLI using SSH or Telnet, a log in will be required.
2.Type the CLI commands shown below to configure the debug flow to trace the
route selection and session establishment for an HTTP connection to www. f ort inet. com.
Use nsl ookup to confirm the address for www. f ort inet . com.
Enter the following commands:
di ag debug enable
diag debug fl ow fi lter addr <IP addr ess of www.fort inet. com>
diag debug fl ow show console enable
diag debug flow show function- name enable
diag debug flow trace start 100
3.From a web browser connect to the following URL and observe the debug flow trace.
http : //www . fort i ne t . com
Depending on the FortiGate model being used, the output displayed may vary
slightly.
SYN packet received:
id=36870 trace id=1 func=resolve_ ip_ tuple fast line=3395
ms g=" vd-root received a packet(pr oto=6 ,
192.1 68 . 1 . 110 :18 49- >20 8. 70 . 202 . 225: 80) f rom internal."
SYN sent and a new session is allocated:
id=36870 trace id=1 func=resolve ip tuple line=3522
msg=" allocate a new s essi on- 00000 483 "
Lookup for next-hop gateway address:
id=36870 trace id=1 func=vf ip4 route input line=1595
msg="find a route: gw- 192 . 168.3.254 via wan1 "
Source NAT, lookup next available port:
id=36870 trace_id=1 func=get _ new_ addr line=1615 msg= " find
SNAT : IP-192 . 168.3.10, port - 44977 "
Matched firewall policy. Check to see which policy this session matches:
id=36870 trace id=1 func=fw forward handler line=463
msg= "Allowed by Policy- 1 : SNAT"
Apply source NAT:
i d=36870 trace id=1 func= ip session run_tuple line=1840
msg=" SNAT 192.168.1.110- >192 . 168.3 . 10:44977 "
SYN ACK received:
id=36870 trace id=2 func=resolve_ip_tupl e fast line=3395
msg="vd- root received a packet (proto=6,
208 . 70.202.225 : 80 - >192 . 168.3.10:44977) from wanl. "
Found existing session ID. Identified as the reply direction:
ld=36870 trace_i d=2 func=resolve ip_tuple_fast line=3433
msg="Find an existing session, id- 00000483, reply direction"
Apply destination NAT to inverse source NAT action:
id=36870 trace_id=2 func= ip_ session_ run tuple line=1854
msg= " DNAT 192.168 . 3 . 10:44977 - >192 . 168.1.110:1849 "
Lookup for next-hop gateway address for reply traffic:
id=36870 trace_ i d=2 func=vf_ip4 route input line=1595
msg=" find a route: gw- 192 . 168.1.110 via interna l "
ACK received:
id=36870 trace i d=3 func=resolve lp tuple fast line=3395
P ag e I 23
msg="vd- root received a packet(proto=6, 192.168.1.110 : 1849- >208 . 70 . 202 . 225 : 80)
from internal ."
Match existing session in the original direction:
id=36870 trace id=3 func=resolve_ ip tuple fast line=3433
msg= " Find an existing session, id- 00000483, original direction"
Apply source NAT:
i d=36870 trace id=3 func=ip session run_ a l l _tuple
line=4378 msg= "SNAT 192.168 . 1 . 110- >192.168 . 3.10 : 44977 "
Receive data from client:
Page I 24
id=3 6870 trace i d=4 func=res olve_ ip_tuple_ f a s t line=3395
msg="vd- root received a packet(prot o=6 , 192 . 168.1 . 110 : 1849- >208 . 70 . 202 . 225 : 80)
f rom internal. "
Match existing session in the original direction:
id=36870 trace id=4 func=resolve ip tuple_ fast line=3433 msg="Fi nd an
exi sting session, id- 00000483 , or igi nal direction"
Apply source NAT:
i d=3 6870 t rac e i d =4 func=ip sessi on run all tuple l ine=4378 msg="SNAT
192 . 168.1.110- >192.168.3.10:44977"
Receive data from server:
id=3 6870 trace_ id=S func=resol ve_ip_tuple_ fast line=3395 msg=" vd- r oot
received a packet( proto=6, 208 . 70 . 202 .225 : 80 - >192 . 168 . 3 . 10 : 44977) from wan1. "
Match exi sting session in reply direction:
id=36870 trace i d =S func=r esol ve ip tuple fast line=3433 msg= " Find an
existing s es si on , id- 00000483 , reply direction"
Apply destination NAT to inverse source NAT action:
id=3 6870 trace id=S func=ip sess i on run_al l tuple
line=4390 msg=" DNAT 192 . 168 . 3 . 10 :44 977 - >192.168 . 1.110:184 9"
4.Enter the following command to disable the debug flow trace:
diag debug flow trace s t op
5.Disable the special-web policy.
Lab 4 Authentication
Objectives
In this lab, a new policy to implement user authorization will be added for afterhours
Internet web access. User disclaimer messages will also be added to the
Internet-bound policies and sessions will be redirected to a specified URL.
Tasks
In this lab, the following tasks will be completed:
Exercise 1 Creating an Identity-Based Firewall Policy
Exercise 2 Testing the Firewall Policy For Web Traffic
Exercise 3 Adding User Disclaimers and Redirecting URLs
Timing
Estimated time to complete this lab: 20 minutes
Exercise 1
Creating an Identity-Based Firewall Policy
1.1n Web Config, go to User> User> User. Click Create New and enter a user
name and password.
Click OK.
2.Go to User> User Group > User Group. Click Create New and create a group
that includes the authorized user with the following settings:
auth-user
Firewall
Pa ge I 25
Name
Type
Members Select the user created in step1 from the Available User Group list and
move it to the Members list.
Click OK to save the changes.
3.Go to Firewall > Policy> Policy and configure a new policy with the following
settings:
Click OK.
4.Move this new all-dept policy to the top of the internal-wan1 policy list.
5.Enable Authentication Keep-alive for the web traffic firewall policies using the
CLI commands below.
config system global
set aut h- keepalive enable
end
Source Interface I Zone internal
Source Address Name all-dept
Destination Interface I Zone wan1
Destination Address Name all
Schedule always
Service web
Action ACCEPT
Log Allowed Traffic Enabled
Enable NAT Enabled
Enable Identity Based Policy Enabled
Click Add to create an Authentication Rule.
Move auth-user to the Selected User Groups List.
Move ANY to the Selected Services List.
Comment After-hours Internet web access
Note: Authentication keepalive extends the time of the session when traffic is
present. In this mode it acts as an idle timer rather than a hard timeout.
Exercise 2
Testing the Firewall Policy For Web Traffic
1.1n a new web browser window, attempt to access a new web site.
At the login prompt, enter the username and password of the user created in
Exercise 1.
2.1n the Authentication Keepalive window, click the Logout link and attempt to
browse to another web site.
3 When prompted to authenticate, enter an incorrect user name or password.
4.1n the Web Config, go to Log&Report >Log Access> Event.
Locate event log messages for the firewall policy authentication events. Click
the entry in the list to view the details. Note the log message level used for this
Pa ge I 26
type of event.
5.Ciear all authenticated sessions (be careful with this command on a live
system!) with the following CLI command:
diagnose firewa l l iprope resetauth
G.Re-connect to the web site, only this time enter the correct credentials.
7.From the CLI, view the IP addresses and users which have successfully
authenticated to the FortiGate unit with the following CLI command:
diagnose fir e wall iprope authuser
Exercise 3
Adding User Disclaimers and Redirecting URLs
1.1n Web Config go to Firewall> Policy> Policy and edit the authenticating alldept
policy by modifying the following settings:
Enable Disclaimer and Redirect URL
Redirect URL
Click OK.
Enable
Enter the URL of a web page to be redirected to.
2.Ciear all authenticated sessions using the CLI command:
diagnose fi rewall iprope resetauth
3.1n a new web browser window, access a web site. When the first user
disclaimer message appears. Click Yes, I agree.
When prompted by the authentication login page, log in as the user created in
Exercise 1.
After logging in, an authentication keep-alive page opens. Click the new
window link. This directs the user to the redirect URL specified in the firewall
policy created in Step 1.
4 Go to System > Config > Replacement Message. Expand Authentication and
click Edit to modify the Disclaimer Page. Replace the text the network access
provider with the student name.
Click OK.
5.Ciear the authenticated sessions before each test with the following CLI
command:
diagnose firewall iprope resetauth
G.Browse to a web page and note the change to the replacement message.
7.Examine the following CLI commands for the users, user groups, and for one
Page I 27
of the authentication firewall policies:
show user local
show user gr oup
show firewall policy <i d>
B.Go to Firewall> Policy> Policy and disable all the internal- wan1 policies
except for the default all policy.
Lab 5 SSL VPN
Objectives
Page I 28
In this lab, an SSL VPN will configured to allow both web-only mode and tunnel mode access to public
web sites.
Tasks
In this lab, the following tasks will be completed:
Configuring SSL VPN for Full Access
Timing
Estimated time to complete this lab: 25 minutes
Exercise 1
Configuring SSL VPN for Full Access
1.Go to VPN > SSL > Config. Configure the following settings to enable the SSL
VPN service:
Enable SSL-VPN Enable
IP Pools Click [Edit] and add
SSLVPN_TUNNEL_ADDR1 to the Selected list.
Leave all the other settings at default.
Click Apply.
Click OK.
Configure authentication for an internal user to access the SSL VPN gateway service. Go
to User> User> User. Click Create New and add a new user with the User Name of UserX
and Password of 123456.
Page I 29
2 Create a new user group that includes the new local user. Go to User> User Group > User
Group and click Create New. Configure the following settings:
Name
Type
Allow SSL-VPN Access
Available Users/Groups
Click OK.
SSLVPN
Firewall
Enable and select the full-access portal from the list.
Move the Test SSL user from the Available Users/Groups list to the
Members list
4.Create a new firewall policy to allow access to the SSL VPN and authenticate
the user. Go to Firewall > Policy > Policy. Click Create New to configure a policy with the following
settings:
Source Interface internal
Source Address all
Destination Interface wan 1
Destination Address all
Action SSL-VPN
SSL Client Certificate Restrictive Disabled
Click Add to configure a new identity-based policy with the following settings:
Available User Groups Move SSLVPN from the Available User Groups list to the Selected
Service
Schedule
Log Allowed Traffic
Click OK.
User Groups list.
Move ANY from the Available Services list to the Selected Services list.
always
Enabled
5.Move this SSLVPN policy to the top of the internal -> wan1 policy list.
6 .Test the SSL VPN by connecting to the portal by typing the following address in the web browser:
https : //192 . 168.10Y. 254 : 10443/
Confirm the first-time Security Alert that is displayed.
Note: By default, the SSL VPN gateway listens to port 10443. In an actual deployment, use port 443 as this port is
typically open on Firewalls allowing easy remote access using SSL. This can be changed by going to System >
Admin > Settings and changing the Web Admin HTIPS service from 443 to a different port number (for example,
8443) . Then, change the SSL VPN login port from 10443 to 443.
7.When prompted, log in as the Test SSL user with the password of 123456.
Page I 30
eleome to SSL VPN Service ~ ll!>
Time Logged In: testssl (( hour(s), 0 minutei.s), 21 second(s))
HTIP lnboundfOutoound Traffic: 0 tytes f 0 bytes
HTIPS lnboundfOutbound Traffic: 0 tytes fO bytes
A I
~ ~
L_ _______________________________________ ~
F ortinet SSL VP::f Client plugin is 3ot imtalled on your computer or it " d
is not up -to-date. (It is also possible that your brows!r setting blocks :i
If the connection fails, check the following :
the running of the plugin.) The plug;n io required for the tunnel mode .;.1
f u n c t i ~ n of :he SSL VPN client. j
You need t ~ have administrator right to do the Eirst time install. Once it
is installed, it works under nonnal Lser privilege and can be upgraded
to newer version without administrator oriviJege.
The Test SSL user is a member of the SSL VPN user group.
The SSLVPN user group is associated with the internal-> wan1 SSL VPN
policy.
The SSL VPN policy is at the top of the policy list for internal-> wan1 .
If after performing these checks, the connection still fails try re-entering the
password in the local user configuration .
8.0n the portal page, click Add to create a new bookmark with the following details:
Name Fortinet
Type HTTP/HTTPS
Location http: I /www . fortinet. com
Description Optional
SSO Disabled
Click OK.
9 .Click the newly created bookmark. A new window displays the selected web
site.
Note the URL of the web site in the web browser address bar:
htt p s: //192 . 168 .1 0Y . 2 54 : 10443/proxy/ht tp/ www.fortinet . c om
The first part of the address, https : I I 192. 168 . lOY. 25 4 : 104 43, is the
encrypted link to the FortiGate SSL VPN gateway.
The second part of the address, /proxy /http is the instruction to use the
SSL VPN HTTP proxy.
The final part of the address, /www . fortinet. com, is the destination of the
connection from the HTTP proxy.
In this example, the connection is encrypted up to the SSL VPN gateway. The
connection to the final destination from the HTTP proxy is unencrypted.
10.Examine the PC's current routing table by typing the following command from
a DOS command prompt:
r out e pri nt
Note that the current default gateway is 192. 168 . 1 OY . 2 54 .
Active Routes:
Network Destination Netmask Gateway Interface Me tric
0 . 0.0 . 0 0 . 0 . 0 . 0 1 92 . 168 . 10Y . 254 192 . 168 . 10Y.xxx 10
11.1f this is the first time an SSL VPN tunnel is used on the PC, install the Forti net
Page I 31
SSL VPN Client plug-in for the browser. Click the Click here to download and install it link that appears in
the Tunnel Model widget.
Download the client software to the PC desktop and close the web browser.
12.Run the installation application for the client software from the PC desktop.
13.Reopen the web browser and enter the address of the VPN portal:
https : //192 .168 . 10Y . 254 : 10443/
14. Click the Connect button in the Tunnel Mode widget. When the tunnel is active, the local interface
fortissl will be listed as UP. Return to the routing table through the DOS prompt and note that the default
gateway is now 10 . o. o. 1, which is the local tunnel endpoint. Because split tunnelling is not enabled, a
default route is displayed for the tunnel interface
Note: Split tunneling is a computer networking concept which allows a VPN user to access a public
network, for example, the Internet, and a local LAN or WAN at the same time, using the same physical
network connection. This connection service is usually facilitated through a program such as a VPN
client software application.
For example, a user connects to a corporate network using a remote access VPN software client and a
hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database
servers, mail servers, and other servers on the corporate network through the VPN connection. In
contrast, when the user connects to Internet resources, for example, web sites and FTP sites, the
connection request doesn't go through the VPN link but rather through the wireless connection and out
the gateway provided by the hotel network.
15. Open a new web browser window and attempt to connect to the following web site:
www . fortiguard . com
Note that the connection fails when tunnel mode is active. In addition to the SSL VPN policy, additional
objects must be created to allow access from the ssl.root interface which is the source of all SSL VPN
tunnel traffic.
16.To observe the cause of the configuration problem run a packet sniffer command in the CLI with the
following filter and observe the output while trying to reload the webpage.
diag sniffer packet any "port 80 " 4
Page I 32
If not using DNS forwarding on the FortiGate and DNS queries are forwarded from the PC to external
DNS servers, test using the servers IP address. Use the ns l ookup command to get the IP address of
the server before testing in this case.
TCP SYN packets should be observed incoming to the ssl.root interface. The ssl.root interface represents
the clients from the SSL VPN tunnel. To allow these packets, this session must be accepted by creating a
policy from the ssl.root interface to the wan1 interface. We also need to define a route back to the SSL
VPN client for both RPF criteria and new session establishment.
17.Logout of the SSL VPN portal by clicking Logout .
18.Create a static route for the SSL VPN tunnel client IP address. In Web Config, go to Router> Static>
Static Route and click Create New.
Configure the static route with following settings:
Destination IPIMask 10 . o. o. 1 I 2 4
Device ssl.root
Leave the remaining default settings and click OK.
19 .Create a new firewall policy from the sslvpn tunnel interface, this time using a regular Accept action.
Source Interface sslvpn tunnel interface
Source Address all
Destination Interface wan1
Destination Address all
Schedule always
Service ANY
Action ACCEPT
Log Allowed Traffic Enabled
Enable NAT Enabled
Click OK.
This new ssl.root -> wan1 policy will be displayed in the Policy list.
20.Log back into the SSL VPN portal and click Connect to activate the SSL VPN tunnel.
21.From the DOS prompt, confirm that the default route is now the tunnel endpoint (10. o . o . 1).
22.Connect directly to the following web site through the web browser:
www . fortiguard . com
The connection should be successful.
23 .Run the packet sniffer command once again to verify that the traffic from the
ssl.root interface is now permitted.
24 .Disable the two SSL policies created in this lab.
- - - - - - - - - - - - ~ = = ~ = = ~ ~ = = - = ~ ~ ~ ~ = = - - - - - - - - - - - - - - - -
Lab 6 Forti net Subscription
Services
Objectives
Page I 33
In this exercise, access to the FortiGuard Distribution Network will be configured and services updated.
Note: This exercise can only be completed if the FortiGate unit has already been registered on the Forti net Support
web site (https : I / s upport . fo r tinet. c om).
Tasks
In this lab, the following task will be completed:
Exercise 1 Enabling FortiGuard Services and Updates
Timing
Estimated ti me to complete this lab: 10 minutes
Exercise 1
Enabling FortiGuard Services and Updates
Page I 34
1.1n Web Config, go to System > Maintenance> FortiGuard to verify the details of the FortiGuard
licensing entitlement for the FortiGate unit. What is the antivirus definition version, expiry, and last update
attempt for the FortiGate unit?
If only the version field is showing, the FortiGate unit firmware was upgraded recently and there have
been no further update attempts.
Note: In the classroom environment, the FortiGate unit is behind a NAT device. Port forwarding must be configured
on the NAT device, otherwise the Push Update feature will not work.
2.0n the FortiGuard Distribution Network page, expand Antivirus and IPS Options and enable a
scheduled update for every four hours. Click Apply.
3.Return to the AntiVirus and IPS Options and click Update Now to force the FortiGate unit to obtain the
latest antivirus and IPS definitions. This action sends a request to an FDN server. After 3 to 5 minutes, if
properly entitled and depending on Internet congestion, the FortiGate unit will receive and install updated
definitions.
Wait a few minutes and return to System > Maintenance > FortiGuard and check for the new updates.
Today's date should appear next to the [Update] link for both AV and IPS Definitions.
The AV and IPS signature databases can also be updated either individually or together through the CLI
using the following commands:
exec update-av Update AV engine/definitions
exec update- ips Update IPS engine/definitions
exec update-now Update now
Note: Antivirus and IPS updates can also be set to be pushed automatically to the FortiGate unit. To allow push
updates, expand AntiVirus and IPS Options and enable Allow Push Update and set the update schedule required, for
example, every 4 hours.
Note: The update-now command is only for updating antivirus and IPS definitions only and not for upgrading the
system firmware.
4.View the CLI settings by entering the following commands in the CLI:
get system autoupdate schedule
get system fortiguard
The defined FortiGuard autoupdate interval was set to 4 hours through Web Config but the CLI shows
4:60. This means that the additional minutes interval will be randomly picked from 0 to 59 minutes. This
helps to spread out the request load on the FortiGuard server.
An exact hour and minute interval can be set through the CLI as illustrated in this example:
config system autoupdate schedule
set t i me 4:0
end
Verify the change with:
show system autoupdate schedule
5. On the FortiGuard Distribution Network page, expand Web Filtering and Email Filtering Options and
configure the following FortiGuard service settings:
Web Filter Cache Enabled
Web Filter Cache TTL 1800 seconds (30 minutes)
Antispam Cache enable
Antis pam Cache TTL 900 seconds ( 15 minutes)
Port Selection 53 (default)
Click Apply.
Page I 35
6.Confirm that the FortiGuard Services are reachable by expanding Web Filtering and Email Filtering
Options once again and clicking Test Availability to establish connectivity between the FortiGate unit and
the FDN server.
Note: By default, FortiGuard uses UDP/53, because this port is almost always open for DNS traffic. If there is another
IPS device on the network that is decoding DNS data on port 53, the FortiGuard request/response may trigger an
alert, as the data is encrypted. Change to UDP/8888 for FortiGuard communication and ensure upstream devices
permit this traffic to pass.
7.Before proceeding to the next lab, save the changes to the FortiGate configuration.
Go to System > Dashboard > Status and in the System Information widget click the Backup link. Save the
file to the local hard disk and change the backup file name to reflect that this backup was created at the
end of Lab 7.
Page I 36
Lab 7 Antivirus Scanning
Objectives
In this exercise, global antivirus settings will be explored including:
Ensuring that antivirus definitions are updated through the FortiGuardSubscription Services.
Enabling file pattern blocking.
Enabling Grayware scanning.
Setting up file quarantine with the FortiAnalyzer device.
Enabling antivirus scanning for web proxy server.
Customizing antivirus replacement messages.
Tasks
In this lab, the following tasks will be completed:
Exercise 1 Configuring Global Antivirus Settings
Exercise 2 Configuring an Antivirus Profile
Exercise 3 Testing Antivirus Scanning for HTTP
Timing
Estimated time to complete this lab: 20 minutes
Exercise 1 Configuring Global Antivirus Settings
1.Confirm that the FortiGate Antivirus Database versions are up to-date. Go to
Page I 37
the FortiGuard Center web page at the following address:
www .fortiguard . com
Locate and note the current database version shown in the Update Center pane of the FortiGuard Center
web page.
2.From Web Config, go to System > Maintenance > FortiGuard. Locate the A V
Definitions version information for the FortiGate unit.
This information can also be accessed from the License Information widget at System > Dashboard >
Status.
The equivalent CLI commands are:
ge t system s tatus
d iagnose autoupdate ve r s i ons
3. If required, update the AV definition versions by going to System> Maintenance> FortiGuard. Expand
Antivirus and IPS Options. Click Update Now.
Note: The update may take several minutes to complete. In the meantime, continue with the lab.
The equivalent CLI commands to invoke an FDN check and AV/IPS update are as follows:
exec update- av
exec updat e - now
4. To help slow the spread of potentially malicious viruses and unauthorized program applications from
being installed, all *. exe and *.com files will be blocked from being downloaded from the web, by FTP as
well as all email attachments.
In Web Config, go to UTM >AntiVirus > File Filter. Select the builtin-patterns list and click Edit ( ) or
double click the entry in the list. Expand File Patterns and select the *.exe and *. com file patterns. Click
Enable .
Click OK.
5.Go to UTM >AntiVirus > Virus Database. Enable Grayware Detection to scan
for malicious grayware-type installers.
Click Apply.
G.File quarantine is available if the FortiGate unit model has an internal hard disk
or if a FortiAnalyzer device is available. Go to UTM >AntiVirus > Quarantine and enable quarantine to
Disk. (If using a FortiGate device without a hard disk, enable quarantine to the online FortiAnalyzer
device.)
Configure the quarantine settings as follows:
Quarantine Infected Files enable all protocols
Quarantine Suspicious Files enable all protocols
Quarantine Blocked Files enable all protocols
Max Filesize to Quarantine 50 MB
Disk Age Limit 168 hours (7 days)
Low Disk Space Overwrite oldest file
Click Apply.
Page I 38
7 .Replacement messages are substituted for the infected file when the FortiGate antivirus engine detects
a virus. Go to System > Config > Replacement Message. Expand HTTP. Click Edit ( ) to view the default
Virus message and File block messages for HTTP.
Alternately, display the same Replacement Messages in the CLI with the following commands:
show system replacemsg http [http- virus/http- block/ ... ]
Note: Some replacement messages are stored in raw HTML code. Make sure that the correct syntax is used and
preserve the existing HTML tags. An external HTML editor can be used to create the replacement message and then
copy and paste the resulting HTML code into the FortiGate replacement message text windows.
Exercise 2
Configuring an Antivirus Profile
1.Go to UTM >Antivirus> Profile. Click Create New and assign the following
settings to the profile:
Name
Virus Scan
File Filter
Quarantine
Click OK.
Standard X
Enable all protocols and Logging.
Enable all protocols and Logging. Select builtin-patterns from the Options drop-down list.
Enable all protocols.
2 .Go to Firewall> Policy> Policy. Modify the traffic policy for each student IP address to enable UTM.
Enable Antivirus and select the Standard antivirus profile. A Protocol Options list must be selected when
Antivirus is enabled. Select the default list.
Click OK.
Exercise 3
Testing Antivirus Scanning for HTTP
1.1n a web browser, type the following address:
http : //eicar . org
2.0n the page presented, click the Anti-Malware Test File link and attempt to download the eicar.com file.
Page I 39
This file does not contail a real virus but will tri gger a virus or grayware signature and will be stopped by
the FortiGate unit.
The HTTP Virus message is shown when the files that are infected or blocked have been quarantined. In
the message that is displayed, there is a link to the Fortinet Virus Encyclopedia that provides information
about the detected virus.
3. Go to Log&Report >Archive Access> Quarantine. The files that have been quarantined will be listed.
Note: There may be policies in place from previous exercises that could allow the files to be downloaded. If the
above steps do not work, go to the firewall policies and ensure that all other policies other than the default are
disabled.
4 .Go to Log&Report > Log Access > Antivirus. Click Disk to view the Antivirus event messages.
Lab 8 Web Filtering
Objectives
In this lab, web and content filtering will be configured. The interaction of local categories and overrides
will also be examined.
Tasks
In this lab, the following tasks will be completed:
Exercise 1 Configuring Local Web URL and Content Filtering
Exercise 2 Testing Web Category Filtering
Exercise 3 Web Filtering Overrides
Timing
Estimated time to complete this lab: 35 minutes
Exercise 1
Configuring Local Web URL and Content Filtering
1. Log in to Web Config as the admin user. To create a new URL filter, go to UTM >Web Filter> URL
Filter.
Click Create New and enter the name URL_ListX.
P a ge 140
Click OK.
2. 1n the URL_List window, click Create New to define the following attributes for the URL filter.
URL
Type
Action
Enable
Click OK.
''. *$
Reg ex
Block
enable
Note: "-*$means "at the beginning of the line"(") match any single character (. ) followed by the same preceding
match(*) until the end of the line ($) . There are many references on the web for Regular Expressions or Peri
compatible regular expressions, for example, http : I /pe rldoc . perl . org or
http : / / www . regexl ib.com/CheatSheet . aspx.
3 .Go to UTM > Web Filter> Profile.
Click Create New and enter the name URL_ProfileX. Enable HTTP, HTTPS, and Logging for Web URL
Filter. Select the URL filter called URL_ListX from the Options list.
Click OK.
4 .Go to Firewall> Policy> Policy. Select the internal-> wan1 (for each student) policy and
click Edit or double-click the entry.
5 .Click to enable UTM. Enable Web Filter and select the URL_ProfileX web filter profile. When Web Filter
is enabled, a Protocol Options list must be selected. Select the default list and click OK.
6 .Open a new web browser window and browse to a random web site. Note that all web sites are now
blocked and that the URL Filter Block Replacement Message is displayed.
Note: Web browser caching may interfere with web filtering. If the web site is not blocked, clear the cache in the web
browser and try again.
7.Go to System> Config >Replacement Message. Expand HTTP. Edit the URL block message and add
a custom message.
8.Go to UTM > Web Filter> URL Filter. Click to select the URL ListX filter and
click Edit ( ) or double click the entry.
9.Ciick Create New and add the following filter:
URL
Type
Action
Enable
www.fortinet.com
Simple
Allow
enable
Click OK to save the changes.
10 .In the URL filter list click to select the new www. fo r t i net. com entry and
click Move To ( ) to place this entry above the global blocking URL entry in the list.
11.Test access to www . fortinet. com.
12.0n the www. fortine t . com web page, pick three words to add to a web
- -------------
content filter and a phrase in which one of the words occurs.
Note: Ensure that the words selected do not appear as part of the graphics or flash
movies on this web page. For example, chose technology, program, or partner.
Word 1
Word 2
Word 3
Phrase
Page I 41
13 .Go to UTM > Web Filter> Web Content Filter. Click Create New. Enter the name Content_FilterX and
click OK.
On the Content_ Filter page, click Create New and add Word 1 to the content pattern list as follows:
Action Block
Pattern <Word 1 >
Pattern Type Wildcard
Language Western
Score 5
Enable enabled
Click OK.
14 .Go to UTM > Web Filter> Profile and edit URL_Profile. Enable HTTP and Logging for Web Content
Filter. Select the Content_FilterX from the Options list
Set the Threshold to 5.
Click OK to save the changes.
15.Reload www . fo r tinet. com to test that this page is blocked and that the Banned Word Block
Replacement Message is displayed. (If the page appears, clear the cache on the browser and try again.)
16.Go to Log&Report >Log Access> Web Filter. Check the Disk log messages for the web content block
entry.
17. Go to UTM > Web Filter> Web Content Filter. Click to select Content_FilterX and click Edit ( ).
Click to select the Word 1 pattern and click Disable ( ) before continuing.
18.Ciick Create New to add Word 2 to the web content filter list as follows:
Action
Pattern
Pattern Type
Language
Score
Enable
Block
Type Word 2 using the form: / Word/ i
Regular Expression
Western
5
enabled
The regular expression /word/ i is used to accept any combination of upper and lowercase letters.
19.Ciear the cache in the web browser and reload the www. fortinet . com web page to test that the
page is blocked and the replacement message is displayed. View the log messages again to locate the
entry for the web content block event.
20. Go to UTM > Web Filter> Web Content Filter. Click to select Content_FilterX and click Edit ( ).
Click Create New to add an exempt pattern to the web content filter list as follows :
Action
Pattern
Pattern Type
Language
Enable
Click OK.
Exempt
Type the phrase chosen earlier.
Regular Expression
Western
enabled
Page I 42
21 .Test the access to www . fortinet . com. The web page should be displayed because of the
exempt phrase.
22 .Add Word 3 to the web content filter list with a score of 5 and test. The page should still pass even if
the threshold has been reached since the exempt phrase is tested first.
Exercise 2
Testing Web Category Filtering
1.Go to UTM > Web Filter> Profile. Click Create New and configure a new web filter profile called
Category_ TestX.
2 .Expand FortiGuard Web Filtering. Click to enable HTTP, HTTPS and Logging and enable category
blocking and logging as follows.
Potentially Liable
Controversial
Potentially Non-productive
Potentially Bandwidth Consuming
Potential Security Violating
General Interest
Business Oriented
Others
Unrated
Block and Log
Block and Log
Block and Log
Block and Log
Block and Log
Block and Log
Block and Log
Block and Log
Block and Log
3.Expand Advanced Filter and enable the settings as follows:
Rate Images by URL
Strict Blocking
Rate URLs by Domain and
IP Address
Click OK to save the changes.
enable for HTTP
enable for HTTP and HTTPS
enable for HTTP and HTTPS
4 .Go to Firewall> Policy> Policy and edit the default internal-> wan1 policy. Change the web filter profile
to Category_ TestX.
Page I 43
Click OK.
5 .Try to connect to a few different web sites. The FortiGuard Web Filtering Block Message should be
displayed.
6.Go to System > Config > Replacement Message to configure a custom replacement message. Expand
FortiGuard Web Filtering and edit the URL block message.
7.Go to UTM > Web Filter> Local Categories. Enter a new Local Category name of Local-1 and click
Create New.
8.Go to UTM > Web Filter> Local Ratings. Click Create New to create new entries for some of the web
sites visited previously that were blocked. Enter the URL of a web site. Expand Local Categories in the
Category Rating table and enable the rating for Locai-X.
Click OK.
9.Go to UTM > Web Filter> Profile. Edit the Category_ TestX profile and expand FortiGuard Web
Filtering. Expand Local Categories in the category table. Click to enable the Local-X category and set to
Allow. Click to enable Log.
Click OK to save the changes.
10.Try to visit a URL in the local category. Verify that other web sites not found in
the local category are still blocked.
Note: Some parts of an allowed web page may be blocked if off-site URLs are used that are not in the allowed
category.
Exercise 3
Web Filtering Overrides
1.Go to User> User Group > User Group. Click Create New and configure a new
user group with the following settings:
Name
Type
Members
lab.
Click OK.
web-override
Firewall
Enter the User Name of the sample user created in the Authentication
2.Go to UTM > Web Filter> Profile and edit the Category_ TestX profile. Expand FortiGuard Web Filtering
and enable Allow Override for all categories.
3.Expand FortiGuard Web Filtering Overrides and enable HTTP and HTTPS. Set the following:
Override Scope I P
Override Type Exact Domain
Off-site URL Deny
Override Time Constant/15 minutes
User Group web-override
Page 144
Click OK.
Note: Do not use a web proxy, otherwise the Web Category Override web page will not work.
4.Try to visit a blocked category website. This time the blocked page replacement message will have an
Override link. Click the Override link to view a Web Filter Block Override. Enter the user name of and the
password of a sample user - You can create a new user from User> User - Create New menu.
Note that other fields are grayed out as they are set by the override user group. After completing the
required fields that will grant access to the desired website, click Continue.
5.Go to UTM > Web Filter > Override. Click to select User Overrides and click Edit ()(or double-click the
entry) to view the web filter override list. Note the Expiry Date column of the dynamically added entries.
6 .Go to Log&Report > Log Access > Web Filter. Locate the log messages related to category blocking.
Scroll or page down to locate the log messages from the URL and content filtering performed earlier in
this lab.
7.Disable the web filter profile in the firewall policy.
Lab 9 Data Leak Prevention
Objectives
In this lab, the DLP features of the FortiGate unit will be tested to block the transmission of sensitive data
outside the network. Users who attempt to send sensitive data outside the network will be banned from
sending further email.
Tasks
In this lab, the following tasks will be completed:
Exercise 1 Blocking Encrypted Files
Exercise 2 Blocking Leakage of Credit Card Information
Exercise 3 Blocking Oversize Files by Type
Exercise 4 DLP Banning and Quarantining
Timing
Estimate time to complete this lab: 40 minutes
Exercise 1 Blocking Encrypted Files
1. Download a copy of the dip-test-encrypt. zip file from Fortinet Online Campus at the following location:

Click Class Descriptions, then 201 - FortiGate I tab to access the file. Save the file a location on the local
PC.
---- ----
Pag e I 45
2. In the Web Config, go to UTM >Data Leak Prevention > Rule. Create a new DLP rule called
with the following details:
Protocol:
HTTP POST:
Rule:
Click OK.
HTTP
enabled
File is encrypted
3 Go to UTM >Data Leak Prevention >Sensor. Create a new DLP Sensor called 81ock_EncryptedX.
Enable logging and click Create New to define a new rule with the following details:
Action:
Archive:
Severity:
Member Type:
Enable 81ock_Encrypted_Rule.
Click OK.
Block
disable
1 (Lowest)
Rule
4 .Edit the default internal-> wan1 policy. Enable UTM and DLP Sensor. Select the Block_EncryptedX
DLP sensor. When a DLP Sensor is enabled, a Protocol Options list must be defined. Select the default
list. Disable any other UTM elements that are enabled from previous exercises and click OK.
5.Using a web-based file transfer tool (for example, www. yousendi t. com or
www. sends pace. com) attempt to send the dip-test-encrypt. zip file to an email address.
The DLP block replacement message should be presented.
6.Locate the DLP log entry for this action.
?.Change the extension on the file name to *.txt and attempt to send the file
again. The file should still be blocked.
Exercise 2
Blocking Leakage of Credit Card Information
1.Go to UTM > Data Leak Prevention > Rule and locate the built-in DLP rule called HTTP- Visa-
Mastercard. This rule has been designed to block any HTTP transfer that contains a Visa or Mastercard
number in the message body. Edit the rule and note the regular expression used to identify the credit card
number.
Enable HTTP GET.
Enable the file option Scan archive contents.
Click OK.
2.Go to UTM >Data Leak Prevention > Sensor and create a new DLP sensor called Sensitive_DataX.
Enable logging and create a new rule with the following details:
Action: Block
Archive:
Severity:
Member Type:
Enable HTTP- Visa-Mastercard.
Click OK.
Full
1 (Lowest)
Rule
Page I 46
3 .Go to Firewall> Policy> Policy and edit the default internal-> wan1 policy. Enable DLP sensor and
select the Sensitive_DataX sensor from the list.
Click OK.
4. Test the ability to download a file called creditcards.xlsx containing credit card numbers from the
Fortinet Online Campus at the following location: http : I /campus . training . fortinet . com
Click Class Descriptions, then 201 - FortiGate I tab to access the file. The DLP block replacement
message should be presented when the file download is attempted.
S.Locate the full archived entry of the file on the FortiAnalyzer unit.
6.Locate the DLP log entry for this action.
Exercise 3
Blocking Oversize Files by Type
An alternate use of DLP is to control bandwidth usage by limiting the size of files of certain file-types. In
this exercise compound rules will be used.
1. Go to UTM > Data Leak Prevention > Rule and create a new DLP rule called Big_FileX with the
following details:
Protocol: HTTP
HTTP-POST enabled
HTTP-GET enabled
Rule: Transfer Size >= 1 OOOKB
Click OK.
2.Go to UTM >AntiVirus > File Filter and create a new file filter called No_MP3
to block files with a file name pattern of *.mp3.
3. Create a second DLP rule called MP3X with the following details:
Protocol:
HTTP-POST
HTTP-GET
Rule:
Click OK.
HTTP
enabled
enabled
File type is found in No_MP3
4 .Go to UTM >Data Leak Prevention > Compound and create a compound called MP3_ CompoundX
with the following details:
Protocol: HTTP
HTTP-POST enabled
HTTP-GET enabled
Rules: Big_FileX
MP3
Click OK.
5 Edit the Sensitive_DataX sensor to include the compound rule:
Action: Block
Archive: Full
Severity: 1
Member Type: Compound rule
Enable the MP3_ CompoundX compound rule.
Click OK.
Page I 47
6.Attempt to download the file called big.mp3 from Fortinet Online Campus at the following location:
http : //campus . training . fortinet . com
Click Class Descriptions, then 201 - FortiGate I tab to access the file.
The DLP block replacement message should be presented when the file download is attempted.
7. Locate the full archived entry of the file on the FortiAnalyzer unit.
8.Locate the DLP log entry for this action.
Exercise 4
DLP Banning and Quarantining
1.Edit the DLP sensor called Sensitive_DataX and change the action for the HTTP-VISA-MASTERCARD
rule to Ban.
2.Attempt to download the creditcard. xlsx file once again. The ~ s e r should be banned.
3.Go to User> Monitor> Banned User and locate the ban entry in the list. By looking at the user ban list,
how can an administrator tell whether the entry is a ban entry and not a quarantine entry?
4 .Click Clear ( ) to remove the ban entry.
5 .Modify the Sensitive_DataX sensor to change the action for the No_Big_MP3 rule to Quarantine IP
address. Set the expiry to 5 minutes.
6 .Attempt to download the big.mp3 file once again. The user should be quarantined. Check the banned
user list once again and the locate the user entry. Note that the Application Protocol column is empty,
indicating that the user is quarantined.
7.Disable the Sensitive_OataX DLP sensor in the student internal-> wan1 policy
Page I 48
Lab 10 Application Control
Objectives
In this lab, access to specific applications will be blocked using the Application Control features on the
FortiGate unit.
Tasks
In this lab, the following tasks will be completed:
o Exercise 1 Creating an Application Control List
o Exercise 2 Testing Application Control
Timing
Estimated time to complete this lab: 10 minutes
Exercise 1
Creating an Application Control List
1. In Web Config, go to UTM >Application Control> Application Control List. Create a new Application
Control List called App_ Controi_LabX.
Click OK.
2.Create new application entries in the App_ Controi_LabX list as follows:
Category:
Application:
Action:
Logging:
Category:
Application:
Action:
Logging:
media
YouTube.Download
Pass
Enabled
web
Myspace
Block
Enabled
Page I 49
3.Go to Firewall > Policy> Policy and edit the default policy. Enable UTM, and Application Control. Select
the App_ Controi_LabX control list. Click OK.
Exercise 2
Testing Application Control
1 .In a web browser, attempt to play a video on you t ube. c orn.
2 .Go to Log&Report >Log Access> Application Control and locate the log entry for this action.
3 .In a web browser, go to rnysp ace . corn .
4. Locate the log entry for this action in the Application Control log. Double-click the entry to view the
details of the log entry.
5 .Edit the App_ Controi_LabX Application Control List and set the action for y ou tube . c orn to Block.
6 .In a web browser, attempt to play a video on you t ub e . corn once again.
7 .Locate the log entry for this action in the Application Control log. Double-click the entry to view the
details of the log entry.