FortiGate Security 6.2 Lab Guide-Online

DO NOT REPRINT
© FORTINET
FortiGate Security Lab

Guide
for FortiOS 6.2
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: [email protected]
5/15/2019
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Virtual Lab Basics 9

Network Topology 9
Lab Environment 9
Remote Access Test 10
Logging In 11
Disconnections and Timeouts 13
Screen Resolution 13
Sending Special Keys 14
Student Tools 15
Troubleshooting Tips 15
Lab 1: Introduction to FortiGate 18
Exercise 1: Working with the CLI 19
Explore the CLI 19
Exercise 2: Generating Configuration Backups 22
Restore Configuration From a Backup 22
Back Up and Encrypt a Configuration File 24
Restore an Encrypted Configuration Backup 25
Compare the Headers of Two Configuration Files 25
Exercise 3: Configuring Administrator Accounts 27
Configure a User Administrator Profile 27
Create an Administrator Account 27
Test the New Administrator Account 28
Restrict Administrator Access 29
Test the Restricted Access 29
Lab 2: Security Fabric 30
Exercise 1: Configuring the Security Fabric 1 33
Configure the Security Fabric on Local-FortiGate HQ1 (root) 33
Configure the Security Fabric on ISFW 35
Authorize downstream FortiGate ISFW on the root FortiGate (HQ1) 37
Check the Security Fabric deployment result 38
Exercise 2: Configuring the Security Fabric 2 40
Configure the Security Fabric on Remote-FortiGate HQ2 (downstream) 40
Authorize downstream Remote-FortiGate(HQ2) on the root Local-FortiGate (HQ1) 42
DO NOT REPRINT
© FORTINET
Authorize all the Security Fabric FortiGates on FortiAnalyzer 43
Check FortiAnalyzer Status on all Security Fabric FortiGate Devices 44
Check the Security Fabric Deployment Result 45
Exercise 3: Running Security Rating 48
Running Security Rating on Root Local-FortiGate 48
Lab 3: Firewall Policies 52
Exercise 1: Creating Firewall Address Objects and Firewall Policies 54
Create Firewall Address Objects 54
Create a Firewall Policy 54
Test the Firewall Policy and View Generated Logs 56
Exercise 2: Reordering Firewall Policies and Firewall Policy Actions 58
Test the Reordering of a Firewall Policy 59
Exercise 3: Applying ISDB Objects as Destinations 61
Review the Internet Service Database 61
Configure a Firewall Policy Destination as an ISDB Object 61
Test the Internet Service Firewall Policy 62
Exercise 4: Using Policy Lookup 64
Enable Existing Firewall Policies 64
Set Up and Test the Policy Lookup Criteria 64
Reorder the Firewall Policies 65
Retest Policy Lookup After Reordering the Firewall Policies 66
Lab 4: NAT 68
Exercise 1: Accessing Through VIPs 70
Create a VIP 70
Test the VIP Firewall Policy 72
Test the SNAT 73
Exercise 2: Using Dynamic NAT with IP Pools 75
Create an IP Pool 75
Edit a Firewall Policy to Use the IP Pool 75
Test Dynamic NAT with IP Pools 76
Exercise 3: Configuring Central SNAT 78
Configure Central SNAT Policy 79
Review the Firewall Policy 80
Test Central SNAT 81
Create a Second IP Pool 82
Create a Second SNAT Policy 83
Reorder Central SNAT Policies 84
Test Central SNAT 84
Exercise 4: Configuring and Testing DNAT and VIPs 87
DO NOT REPRINT
© FORTINET
Create DNAT and VIPs 87
Verify the Firewall Policy Settings 88
Test DNAT and VIPs 88
Lab 5: Firewall Authentication 90
Exercise 1: Configuring Remote Authentication 91
Configure an LDAP Server on FortiGate 91
Assign an LDAP User to a Firewall Group 92
Add the Remote User Group to Your Firewall Policy 93
Authenticate and Monitor 94
Exercise 2: Configuring Captive Portal 98
Create a User Group for Captive Portal 98
Enable Captive Portal 98
Enable the Disclaimer Message 99
Authenticate and Monitor 99
Lab 6: Logging and Monitoring 102
Exercise 1: Configuring Log Settings 104
Configure Log Settings 104
Configure Threat Weight 106
Exercise 2: Enabling Logging on Firewall Policies 107
Enable Logging on a Firewall Policy 107
Exercise 3: Monitoring Logs Through Alert Email 110
Configure Alert Emails 110
Generate Traffic 110
Generate Traffic Through FIT 111
Generate Traffic Through Nikto 112
View Alert Emails 114
Exercise 4: Viewing Logs on the FortiGate GUI 116
View Logs from Log & Report Menu 116
Forward Traffic 116
Security Profile Logs 118
View and Filter IPS Logs 119
View Logs in FortiView 120
Lab 7: Certificate Operations 122
Exercise 1: Configuring SSL Deep Inspection on Outbound Traffic 124
Configure SSL Inspection 124
Enable SSL Inspection on a Firewall Policy 125
Install the Fortinet_CA_SSL Certificate 125
Test Full SSL Inspection 128
Exercise 2: Configuring SSL Deep Inspection on Inbound Traffic 130
Configure a Virtual IP and Firewall Policy 130
Install the Training CA Certificate 131
DO NOT REPRINT
© FORTINET
Configure Inbound SSL Deep Inspection 136
Lab 8: Web Filtering 139
Exercise 1: Configuring FortiGuard Web Filtering 141
Review the FortiGate Settings 141
Determine Web Filter Categories 142
Configure a FortiGuard Category-Based Web Filter 143
Apply the Web Filter Profile to a Firewall Policy 146
Test the Web Filter 147
Create a Web Rating Override 148
Test the Web Rating Override 149
Exercise 2: Setting Up Web Filtering Authentication 150
Set Up the Authenticate Action 150
Define Users and Groups 151
Test the Authenticate Action 152
Exercise 3: Configuring and Testing Web Profile Overrides 154
Configure Web Profile Overrides 154
Test the Web Profile Override 154
Lab 9: Application Control 157
Exercise 1: Controlling Application Traffic 158
Configure Filter Overrides 158
Apply the Application Control Profile to the Firewall Policy 160
Test the Application Control Profile 160
Configure Application Overrides 161
Test Application Overrides 162
View Logs 163
Exercise 2: Controlling Application Bandwidth Usage 164
Modify Application Overrides Action 164
Configure a Traffic Shaping Policy 164
Test Traffic Shaping 166
Lab 10: Antivirus 169
Exercise 1: Using Antivirus Scanning in Flow-Based Inspection Mode 170
Configure the Antivirus Profile in Flow-Based Inspection Mode 170
Review the Flow-Based Antivirus Profile 171
Enable the Antivirus Profile on a Firewall Policy 171
Test the Antivirus Configuration 172
Test an Alternate Download Method 172
View the Antivirus Logs 173
Enable SSL Inspection on a Firewall Policy 175
Exercise 2: Configuring Proxy-Based Antivirus Scanning 177
Change the FortiGate Inspection Mode 177
Review the Antivirus Profile in Proxy-Based Inspection Mode 177
DO NOT REPRINT
© FORTINET
Enable the Antivirus Profile on a Firewall Policy 178
Test the Proxy-Based Antivirus Profile 179
View the Antivirus Logs 180
Lab 11: Intrusion Prevention System (IPS) and Denial of Service (DoS) 182
Exercise 1: Blocking Known Exploits 183
Configure IPS Inspection 183
Apply an IPS Sensor to a VIP Firewall Policy 184
Generate Attacks from the Linux Server 186
Monitor the IPS 187
Exercise 2: Using Rate Based IPS Signatures 189
Apply Rate Based Signatures 189
Test the Rate Based Signature 189
Exercise 3: Mitigating a DoS Attack 192
Create a DoS Policy 192
Test the DoS Policy 193
Lab 12: SSL-VPN 195
Exercise 1: Configuring Web Mode SSL-VPN 196
Configure the SSL-VPN Settings 196
Create a Firewall Policy for SSL-VPN 197
Test the SSL-VPN Access 198
Add an Admin-Based Bookmark to the SSL-VPN Portal 200
Test SSL-VPN Access Using the Predefined Bookmark 201
Examine the Web Mode Mechanism (Reverse HTTP Proxy) 202
Monitor an SSL-VPN User 202
Exercise 2: Configuring SSL-VPN Tunnel Mode 204
Add Tunnel Mode 204
Configure the Routing for Tunnel Mode 205
Configure FortiClient for SSL-VPN connections 205
Test SSL-VPN in Tunnel Mode 206
Review VPN Events 208
Lab 13: Dialup IPsec VPN 210
Exercise 1: Configuring a Dialup IPsec VPN Between Two FortiGate Devices 212
Create Phase 1 and Phase 2 on Local-FortiGate (Dialup Server) 212
Create Firewall Policies for VPN Traffic on Local-FortiGate (Dialup server) 213
Create Phase 1 and Phase 2 on Remote-FortiGate (Dialup Client) 215
Create a Static Route for Route-Based VPN on Remote-FortiGate (Dialup Client) 217
Create the Firewall Policies for VPN Traffic on Remote-FortiGate (Dialup Client) 217
Exercise 2: Testing and Monitoring the VPN 220
Exercise 3: Creating an IPsec VPN Between FortiGate and FortiClient 222
Configure a Dialup VPN 223
Configure FortiClient for Dialup VPN 226
DO NOT REPRINT
© FORTINET
Connect to the Dialup VPN 227
Check the IP Address and Route Added to the Remote-Windows VM 229
Test the Dialup VPN 230
Disconnect the Dialup VPN 231
DO Virtual
NOT REPRINT
Lab Basics Network Topology
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
FortiGate Security 6.2 Lab Guide 9

Fortinet Technologies Inc.
DO Remote
NOTAccess
REPRINT
Test Virtual Lab Basics
© FORTINET
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
To run the remote access test

1. From a browser, access the following URL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.

The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those
estimations are not within the recommended values, you will get any error message:
10 FortiGate Security 6.2 Lab Guide

DO Virtual
NOT REPRINT
Lab Basics Logging In
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
To log in to the remote lab

1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.

4. Click Register and Login.

DO Logging
NOTIn REPRINT Virtual Lab Basics
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:

l From the top navigation bar, click a VM's tab.
l From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.

DO Virtual
NOT REPRINT
Lab Basics Disconnections and Timeouts
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
Disconnections and Timeouts
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
If that fails, see Troubleshooting Tips on page 15.
Screen Resolution
The GUIs of some Fortinet devices require a minimum screen size.
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:

DO Sending
NOTSpecial
REPRINT
Keys Virtual Lab Basics
© FORTINET
Sending Special Keys
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:

DO Virtual
NOT REPRINT
Lab Basics Student Tools
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.

DO Troubleshooting
NOT REPRINT Tips Virtual Lab Basics
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.

DO Virtual
NOT REPRINT
Lab Basics Troubleshooting Tips
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
To expedite the response, enter the following command in the CLI:

execute update-now

DO NOT REPRINT
© FORTINET
Lab 1: Introduction to FortiGate
In this lab, you will learn about the FortiGate administration through the CLI and GUI. You will also back up and
restore a configuration file, as well as create a new administrator account and modify administrator access
permissions.
Objectives
l Access the FortiGate CLI
l Back up and restore configuration files
l Locate the FortiGate model and FortiOS firmware build in a configuration file
l Create a new administrator user
l Restrict administrator access
Time to Complete
Estimated: 25 minutes

DO NOT REPRINT
© FORTINET
Exercise 1: Working with the CLI
In this exercise, you will access a FortiGate device using the CLI.
Explore the CLI
The next steps will help you get familiar with the FortiGate CLI.
To explore the CLI

1. On the Local-FortiGate device, in the list of VMs, click View VM to open the FortiGate console.
2. At the login prompt, enter admin.
3. In the Password field, type password, and then press Enter.
4. Enter the following command:
get system status
This command displays basic status information about FortiGate. The output includes FortiGate's serial
number, operation mode, and so on. When the More prompt appears on the CLI, do one of the following:
To continue scrolling Space bar
To scroll one line at a time Enter
To exit Q
get ?
The ? character is not displayed on the screen.
This command shows all of the options that the CLI will accept after the # get command. Depending on the
command, you may need to enter additional words to completely specify a configuration option.
6. Press the Up Arrow key twice.

This displays the previous get system status command.
7. Try some of the control key sequences shown in the following table:

DO Explore
NOTthe REPRINT
CLI Exercise 1: Working with the CLI
© FORTINET
Action Command
Previous command Up Arrow
Next command Down Arrow
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current character CTRL+D
Clear screen CTRL+L
Abort command and exit CTRL+C
Auto repeat history CTRL+P
execute ?
This command lists all options that the CLI will accept after the execute command.
9. Type exe, and then press the Tab key.

Notice that the CLI completes the current word.
10. Press the Space bar and then press the Tab key three times.
Each time you press the Tab key, the CLI replaces the second word with the next possible option for the
execute command, in alphabetical order.
You can abbreviate most commands. In presentations and labs, many of the
commands that you see will be in abbreviated form. For example, instead of typing
execute, you can type exe.
Use this technique to reduce the number of keystrokes that are required to enter a
command. Often, experts can configure FortiGate faster using the CLI than the GUI.
If there are other commands that start with the same characters, your abbreviation
must be long enough to be specific, so that FortiGate can distinguish them.
Otherwise, the CLI displays an error message about ambiguous commands.
11. On a newline, enter the following command to view the port3 interface configuration. (Hint: try using the shortcuts
you just learned about.):
show system interface port3
show full-configuration system interface port3

DO Exercise
NOT1: Working
REPRINT
with the CLI Explore the CLI
© FORTINET
Stop and think!
Compare both outputs. How are they different?
The show full-configuration command displays all the configuration settings for the interface.
The show command displays only those values that are different from the default values.

DO NOT REPRINT
© FORTINET
Exercise 2: Generating Configuration Backups
In this exercise, you will learn how to generate and restore clear-text and encrypted configuration backups. The
configuration files produced by backups, allow you to restore to an earlier FortiGate configuration.
Restore Configuration From a Backup
Now, you will restore a configuration from a backup.
To restore a configuration from a backup

1. On the Local-Windows device, in the list of VMs, click View VM.
2. Log in to the Local-Windows VM using the domain\username, TRAININGAD\Administrator and the
password password.
3. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
You can also access the Local-FortiGate GUI from the Firefox browser bookmarks
bar.
All the lab exercises were tested running Mozilla Firefox on the Local-Windows and
Remote-Windows VMs. To get consistent results, you should use Firefox to access
both the Internet and the FortiGate GUIs in this virtual environment.

DO Exercise
NOT2: Generating
REPRINT Configuration Backups Restore Configuration From a Backup
© FORTINET
4. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
5. Click Upload to select the backup configuration file from your local PC.
6. Click Desktop > Resources > FortiGate-Security > Introduction > local-initial.conf, and then click
Open.
7. Click OK.
8. Click OKto reboot.
After your browser uploads the configuration, FortiGate reboots automatically. This takes approximately 30
to 45 seconds.
9. When the Local-FortiGate GUI login page reappears after reboot, log in with the user name admin and password
password.
10. Click Network > Interfaces and verify that the network interface settings were restored.
11. Click Network > Static Routes, click on the plus sign to expand IPv4 routes and verify that the default route was
restored.

DO Back
NOT Up andREPRINT
Encrypt a Configuration File Exercise 2: Generating Configuration Backups
© FORTINET
Back Up and Encrypt a Configuration File
Always back up the configuration file before making changes to FortiGate (even if the change seems minor or
unimportant). There is no undo. You should carefully consider the pros and cons of an encrypted backup before
you begin encrypting backups. While your configuration, including things like private keys, remains private, an
encrypted file hampers troubleshooting because Fortinet support cannot read the file. Consider saving backups in
plain-text and storing them in a secure place instead.
Now, you will create an encrypted file with the backup of the FortiGate's current configuration.
To save an encrypted configuration backup

1. Continuing on the Local-FortiGate GUI, in the upper-right corner, click admin, and then click Configuration >
Backup.
2. On the Backup System Configuration page, enable Encryption.
3. In the Password field, enter fortinet and repeat in the Confirm password field.
4. Click OK.
5. Select Save File and click OK.
The Firefox browser saves the encrypted configuration file in the Downloads folder, by default.
You can access downloaded files by clicking the blue down arrow in the top right of
the browser.

DO Exercise
NOT2: Generating
REPRINT Configuration Backups Restore an Encrypted Configuration Backup
© FORTINET
Restore an Encrypted Configuration Backup
Restoring from backup allows you to return to a previous configuration. As a word of caution, if you cannot recall
the password required to decrypt the backup, you will not be able to restore to this backup! Ensure that you record
the password and store it in a secure place.
Now, you will restore the configuration backup that you created in the previous procedure.
Take the Expert Challenge!

Restore the configuration from the encrypted backup.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Compare the Headers of Two Configuration Files on page 25.
To restore an encrypted configuration backup

1. Continuing on the Local-FortiGate GUI, in the upper-right corner, click admin, and then click Configuration >
Restore.
2. On the Restore System Configuration page, click Upload.
3. Browse to your Downloads folder and select the configuration file that you created in the previous procedure.
4. In the Password field, type fortinet, and then click OK.
5. Click OK to confirm that you want to restore the configuration.
FortiGate reboots.
Compare the Headers of Two Configuration Files
When troubleshooting issues, or when restoring FortiGate to an earlier OS version or build, it is useful to know
where to find this information in a configuration file. This exercise will show you where to find the version and
build number in a configuration file.
Now, you will open and compare two configuration files using Notepad++.
To compare the headers of two configuration files

1. On Local-Windows in the Windows task bar, click the Notepad++ icon.
2. Click File > Open and browse to the Downloads folder to open the encrypted configuration file.
3. Click File > Open and browse to the initial configuration file:
Desktop\Resources\FortiGate-Security\Introduction\local-initial.conf
The configuration file opens in a second tab in Notepad++.

DO Compare
NOTtheREPRINT
Headers of Two Configuration Files Exercise 2: Generating Configuration Backups
© FORTINET
4. Compare the headers in the two files.
Encrypted file.
Clear-text file.
In both the clear-text and encrypted configuration files, the top line acts as a header,
listing the firmware and model that this configuration belongs to.
5. Close the two tabs in Notepad++ and close the application.

DO NOT REPRINT
© FORTINET
Exercise 3: Configuring Administrator Accounts
FortiGate offers many options for configuring administrator privileges. For example, you can specify the IP
addresses that administrators are allowed to connect from.
In this exercise, you will work with administrator profiles and administrator user accounts. An administrator profile
is a role that is assigned to an administrator user that defines what the user is permitted to do on the FortiGate
GUI and CLI.
Configure a User Administrator Profile
Now, you will create a new user administrator profile that has read-only access for most of the configuration
settings.
To configure a user administrator profile

2. Click System > Admin Profiles.
3. Click Create New.
4. In the Name field, type Security_Admin_Profile.
5. In the permissions table, set Security Profile to Read-Write, but set all other permissions to Read.
6. Click OK to save the changes.
Create an Administrator Account
Now, you will create a new administrator account. You will assign the account to the administrator profile you
created previously. The administrator will have read-only access to most of the configuration settings.
To create an administrator account

1. Continuing on the Local-FortiGate GUI, click System > Administrators.
2. Click Create New and then click Administrator to add a new administrator account.
3. On the New Administrator page, configure the following settings:
Field Value
Username Security
Type Local User
Password fortinet

DO Test
NOT REPRINT
the New Administrator Account Exercise 3: Configuring Administrator Accounts
© FORTINET
Field Value
Confirm Password fortinet
Administrator Profile Security_Admin_Profile
Administrator names and passwords are case sensitive. You can't include characters
such as < > ( ) # " in an administrator account name.
Test the New Administrator Account
In this procedure, you will confirm that the new administrator account has read-write access to only the security
profiles configuration.
To test the new administrator account

1. Continuing on the Local-FortiGate GUI, click admin and then Logout to log out of the admin account GUI
session.
2. Log back in to the Local-FortiGate GUI with the user name Security and password fortinet.
3. Explore the permissions that you have in the GUI.
You should see that this account can configure only security profiles.
4. Log out of the GUI once done.

DO Exercise
NOT3: Configuring
REPRINT Administrator Accounts Restrict Administrator Access
© FORTINET
Restrict Administrator Access
Now, you will restrict access for FortiGate administrators. Only administrators connecting from a trusted subnet
will be allowed access. This is useful if you need to restrict the access points from which administrators connect to
FortiGate.
To restrict administrator access

1. Log back in to the Local-FortiGate GUI with the user name admin and password password.
2. Click System > Administrators.
3. Edit the admin account.
4. Enable Restrict login to trusted hosts, and set Trusted Host 1 to the address 10.0.2.0/24.
6. Log out of the GUI once done.
Test the Restricted Access
Now, you will verify that administrators outside the subnet 10.0.2.0/24 can't access FortiGate.
To test the restricted access

1. Continuing on Local-Windows, log out of the Local-FortiGate GUI session as the admin user.
2. Try to log in to the admin account again with password password.
What is the result this time?
Stop and think!

Why do you receive an authentication failure message?
Because you are trying to connect from the 10.0.1.10 address, you shouldn't be able to connect. This is
because you restricted logins to only the source IP addresses in the list of trusted hosts.
3. On the Local-FortiGate, in the list of VMs, click View VM to open the FortiGate console.
4. Log in as admin with password password.
5. Enter the following CLI commands to add 10.0.1.0/24 as the second trusted IP subnet (Trusted Host 2) to
the admin account:
config system admin

edit admin
set trusthost2 10.0.1.0/24
end
6. Return to the Local-Windows VM.

7. Open a browser and try to log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and
password password.
You should be able to log in.

DO NOT REPRINT
© FORTINET
Lab 2: Security Fabric
In this lab, you will learn to configure the security fabric. After you configure the Security Fabric, you will access
the physical and logical topology views.
Objectives
l Configure the Security Fabric on the Local-FortiGate (root) and ISFW FortiGate
l Configure the Security Fabric on the Local-FortiGate (root) and Remote- FortiGate
l Use the Security Fabric topology view to have a logical and physical view of your network topology
l Run the Security Fabric rating checks on the root FortiGate and apply a recommendation
Time to Complete
Topology
In this lab, you will learn how to configure and add the ISFW (Internal Segmentation Firewall) and Remote-
FortiGate(HQ2) to the Local-FortiGate(HQ1) root using the Security Fabric. Local-FortiGate is the headquarters
1, which is the root FortiGate in the Security Fabric. HQ1 and HQ2 are connected through an IPsec tunnel. ISFW
is another leaf FortiGate to the HQ1 firewall. FortiAnalyzer is behind the HQ1 firewall and will be used in the
Security Fabric.
Prerequisites
Before beginning this lab, you must restore configuration files on Local and Remote FortiGates. ISFW
configuration is pre-loaded.

DO Lab
NOT REPRINT
2: Security Fabric
© FORTINET
Make sure to restore the correct configuration on each FortiGate using the following
steps. Failure to restore the correct configuration on each FortiGate will prevent you
from doing the lab exercise.
To restore the Remote-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the
user name admin and password password.
3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > Security-Fabric > remote-VPN-initial.conf, and
then click Open.
5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file


DO NOT REPRINT Lab 2: Security Fabric
© FORTINET
4. Click Desktop > Resources > FortiGate-Security > Security-Fabric > local-VPN-initial.conf, and
then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring the Security Fabric 1
In this exercise, you will configure the Security Fabric between Local-FortiGate HQ1(root) and the ISFW (leaf).
Configure the Security Fabric on Local-FortiGate HQ1 (root)
You will configure the root of the Security Fabric tree.
To enable FortiTelemetry on Local-FortiGate interfaces

2. Click Network > Interfaces.
3. Click port3, and then click Edit.
4. In the Administrative Access section, select the FortiTelemetry check box.
5. In the Networked Devices section, turn on the Device Detection switch.
6. Click OK.
7. Click Network > Interfaces and expand port1.
8. Click interface To-Remote-HQ2, and then click Edit.
10. Click OK.
To enable the security fabric on Local-FortiGate

1. Continuing on the Local-FortiGate GUI, click Security Fabric >Settings.
2. Enable FortiGate Telemetry.
3. Configure the following settings:

DO Configure
NOTtheREPRINT
Security Fabric on Local-FortiGate HQ1 (root) Exercise 1: Configuring the Security Fabric 1
© FORTINET
Field Value
Group name fortinet
FortiTelemetry enabled interfaces port3, To-Remote-HQ2
(ensure both interfaces are selected)
4. In the FortiAnalyzer Logging section, configure the following settings:
Field Value
IP address 10.0.1.210
Upload option Real Time
5. Click Test Connectivity.
A warning appears indicating FortiGate isn’t yet authorized on FortiAnalyzer. This

authorization is configured in a later step on FortiAnalyzer.
Your configuration should look like the following example:
6. Click Apply.

DO Exercise
NOT1: Configuring
REPRINT the Security Fabric 1 Configure the Security Fabric on ISFW
© FORTINET
Configure the Security Fabric on ISFW
You will configure the leaf of the security fabric tree.

On the ISFW GUI (10.0.1.200), enable FortiTelemetry on port1 and port3.Enable network device
detection on both ports.After you have enabled it, configure Security Fabric settings with the group name
fortinet.
After you complete the challenge, see To enable the security fabric on ISFW (leaf) on page 36 .
To enable FortiTelemetry on ISFW interfaces

1. On the Local-Windows VM, open a browser and log in to the ISFW GUI at 10.0.1.200 with the user name
admin and password password.
6. Click OK.

DO Configure
NOTtheREPRINT
Security Fabric on ISFW Exercise 1: Configuring the Security Fabric 1
© FORTINET
To enable the security fabric on ISFW (leaf)
1. Continuing on the ISFW GUI, click Security Fabric > Settings.
Field Value
Group name fortinet
FortiTelemetry enabled interfaces port1, port3
4. Enable Connect to upstream FortiGate.

FortiGate IP is filled automatically with the default static route gateway address 10.0.1.25 already
configured on the ISFW.
5. Click Apply.

DO Exercise
NOT1: Configuring
REPRINT the Security Fabric 1 Authorize downstream FortiGate ISFW on the root FortiGate (HQ1)
© FORTINET
A warning appears indicating FortiGate is not yet authorized on the root FortiGate.
You will authorize ISFW from the root Local-FortiGate.
FortiAnalyzer logging is enabled after FortiGate telemetry is enabled. FortiAnalyzer

settings will be retrieved from the root Local-FortiGate when FortiGate (ISFW)
connects to root Local-FortiGate.
Authorize downstream FortiGate ISFW on the root FortiGate (HQ1)
You will authorize ISFW on root Local-FortiGate to join the Security Fabric.
To authorize downstream ISFW on the root Local-FortiGate

2. Click Security Fabric > Settings.
3. In the Topology field, click the highlighted FortiGate serial number, and click Authorize.

DO Check
NOT REPRINT
the Security Fabric deployment result Exercise 1: Configuring the Security Fabric 1
© FORTINET
After authorization, downstream ISFW FortiGate shows up in the topology field of the
Security Fabric > Settings page, which means downstream ISFW FortiGate joins
the Security Fabric successfully.
A warning appears indicating FortiGate is not yet authorized on FortiAnalyzer. This

authorization is configured in a later step on FortiAnalyzer.
Check the Security Fabric deployment result
Now, you will check the Security Fabric deployment result on the root Local-FortiGate.
To check the Security Fabric on Local-FortiGate

1. Continuing on the Local-Windows VM, open a new browser tab and go to https://www.fortinet.com.
This is to generate some traffic on the Local-Window to view full topology in next steps.
2. On the Local-FortiGate GUI, click Dashboard > Status.

The Security Fabric widget displays the FortiGates in the Security Fabric.
3. Continuing on the root Local-FortiGate GUI, click Security Fabric > Physical Topology.

DO Exercise
NOT1: Configuring
REPRINT the Security Fabric 1 Check the Security Fabric deployment result
© FORTINET
This page shows a visualization of access layer devices in the Security Fabric.
4. Continuing on the root Local-FortiGate GUI, click Security Fabric > Logical Topology.
This dashboard displays information about the interfaces that each device in the Security Fabric connects.
In order to finish the Security Fabric configuration, you will authorize all the FortiGate
devices on the FortiAnalyzer. This authorization is configured in the next exercise.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring the Security Fabric 2
In this exercise, you will add another FortiGate to the Security Fabric tree. In this topology, downstream Remote-
FortiGate (HQ2) is connected to the root Local-FortiGate (HQ1) over IPsec VPN, to join the Security Fabric.

On the Remote-FortiGate GUI (10.200.3.1), enable FortiTelemetry on port6 and To-Local-HQ1 vpn
interface. Enable network device detection on port6.Once FortiTelemetry is enabled, configure the Security
Fabric settings with the group name fortinet and use the tunnel IP address 10.10.10.1 to connect
upstream root FortiGate.
After you complete the challenge, see Authorize downstream Remote-FortiGate(HQ2) on the root Local-
FortiGate (HQ1) on page 42.
Configure the Security Fabric on Remote-FortiGate HQ2 (downstream)
You will configure the Remote-FortiGate to join root Local-FortiGate through the Security Fabric.
To enable FortiTelemetry on Remote-FortiGate interfaces

5. In the Networked Devices section, ensure the Device Detection switch is turned on.
6. Click OK.
7. Continuing on the Remote-FortiGate GUI, click Network > Interfacesand expand port4.
8. Click interface To-Local-HQ1, and then click Edit.
To enable the Security Fabric on Remote-FortiGate

1. Continuing on the Remote-FortiGate GUI, click Security Fabric > Settings.

DO Exercise
NOT2: Configuring
REPRINT the Security Fabric 2 Configure the Security Fabric on Remote-FortiGate HQ2 (downstream)
© FORTINET
Field Value
Group name fortinet
FortiTelemetry enabled interfaces port6, To-Local-HQ1
4. Enable Connect to upstream FortiGate.

5. Click Change.
6. In the FortiGate IP field, enter 10.10.10.1.
7. Click Apply and wait for a few seconds.
A warning appears indicating FortiGate is not yet authorized on root FortiGate. You
will authorize Remote-FortiGate from root Local-FortiGate.
FortiAnalyzer logging is enabled after FortiGate telemetry is enabled. FortiAnalyzer

settings will be retrieved from the root Local-FortiGate when Remote-FortiGate
connects to root Local-FortiGate.

DO Authorize
NOTdownstream
(HQ1)
Remote-FortiGate(HQ2) on the root Local-FortiGate
REPRINT Exercise 2: Configuring the Security
Fabric 2
© FORTINET
Authorize downstream Remote-FortiGate(HQ2) on the root Local-FortiGate
(HQ1)
Now, you will authorize Remote-FortiGate on root Local-FortiGate to join the Security Fabric.
To authorize downstream Remote-FortiGate on the root Local-FortiGate

2. Click Security Fabric > Settings.
3. In the Topology field, click the highlighted FortiGate serial number, and click Authorize.
After authorization, downstream Remote-FortiGate shows up in the

topology field. Now both ISFW and Remote-FortiGate are show up as two
leafs of root Local-FortiGate.
A warning appears indicating FortiGate is not yet authorized on

FortiAnalyzer. You will authorize all FortiGates on FortiAnalyzer in next step.

DO Exercise
NOT2: Configuring
REPRINT the Security Fabric 2 Authorize all the Security Fabric FortiGates on FortiAnalyzer
© FORTINET
Authorize all the Security Fabric FortiGates on FortiAnalyzer
Now, you will authorize all the Security Fabric devices on FortiAnalyzer.
To authorize Local-FortiGate, ISFW, and Remote-FortiGate on FortiAnalyzer

1. On the Local-Windows VM, open another browser tab, and log in to the FortiAnalyzer GUI at 10.0.1.210, using
the username admin and the password password.
2. Click Device Manager.
3. Click Unauthorized.
All three FortiGates appear as unauthorized devices.

DO Check
NOT REPRINT
FortiAnalyzer Status on all Security Fabric FortiGate Devices Exercise 2: Configuring the Security Fabric 2
© FORTINET
4. Select the check boxes beside Local-FortiGate, ISFW , and Remote-FortiGate, and then click Authorize.
5. Leave all the Assign New Device Name as default in the Authorize Device wizard window, and click OK.
All three devices will be added to FortiAnalyzer root ADOM. Wait for a few seconds until the Logs status for
all the FortiGates turns green.
Check FortiAnalyzer Status on all Security Fabric FortiGate Devices
Now, you will check FortiAnalyzer status on all three FortiGate devices.
To check the FortiAnalyzer status on Local-FortiGate

1. On the Local-FortiGate, click Security Fabric > Settings.
In the FortiAnalyzer Logging section, you can see storage usage information.

DO Exercise
NOT2: Configuring
REPRINT the Security Fabric 2 Check the Security Fabric Deployment Result
© FORTINET
2. On the ISFW, click Security Fabric > Settings.
3. On the Remote-FortiGate, click Security Fabric > Settings.
Check the Security Fabric Deployment Result
Now, you will check the Security Fabric deployment result on root Local-FortiGate.

DO Check
NOT REPRINT
the Security Fabric Deployment Result Exercise 2: Configuring the Security Fabric 2
© FORTINET
To check the Security Fabric on Local-FortiGate
1. On the Local-FortiGate GUI, click Dashboard > Status.
The Security Fabric widget displays all the FortiGates in the Security Fabric.
2. Continuing on the root Local-FortiGate GUI, click Security Fabric > Physical Topology.
This page shows a visualization of access layer devices in the Security Fabric.
3. Continuing on the root Local-FortiGate GUI, click Security Fabric > Logical Topology.
This dashboard displays information about the interfaces that each device in the Security Fabric connects.

DO Exercise
NOT2: Configuring
REPRINT the Security Fabric 2 Check the Security Fabric Deployment Result
© FORTINET
Your topology view might not match what's shown in the example. At minimum, you
should see Local-FortiGate, Remote-FortiGate, and ISFW in the topology view.

DO NOT REPRINT
© FORTINET
Exercise 3: Running Security Rating
The security rating feature includes new security checks that can help you make improvements to your
organization’s network, such as enforce password security, apply recommended login attempt thresholds,
encourage two factor authentication, and more. In this lab you will run security ratings to fix few recommended
settings.
Running Security Rating on Root Local-FortiGate
In this exercise, you will run a Security Rating check, which analyzes the Fortinet Security Fabric deployment to
identify potential vulnerabilities and highlight best practices. You must run the Security Fabric rating on the root
FortiGate in the Security Fabric.
To review Security Rating widget

2. Click Security Fabric > Security Rating.
3. To get the current score, in the upper-right, click Run Now.
4. Click Dashboard > Status and check the Security Rating widget to see your percentile.

DO Exercise
NOT3: Running
REPRINT
Security Rating Running Security Rating on Root Local-FortiGate
© FORTINET
Your Security Rating widget might not match what's shown in the example.
To generate new security rating scores on the root FortiGate

1. Continuing on the Local-FortiGate GUI, click Security Fabric > Security Rating.
You can expand to view recommendations for each section and devices
2. To run the check, in the upper-right corner, click Run Now.
The check will run. When it completes, it shows the following information:
l The Security Rating Score field shows the score for your Security Fabric
l The page shows the overall count of how many checks passed or failed, with the
failed checks divided by severity
l Information about each failed check, including which FortiGate failed the check, the
effect of the check failure on the security score, and recommendations to fix the
issue
l The Apply option appears with recommendations that can be applied by the wizard
l Your Security Rating Scores might not match what's shown in the example
3. Select Audit Log Settings from Audit Logging & Monitoring (AL) section.
The Apply option appears with recommendations that can be applied by the wizard.
4. In the right pane under Local-Fortigate, click Apply.

DO Running
NOTSecurity
REPRINT
Rating on Root Local-FortiGate Exercise 3: Running Security Rating
© FORTINET
5. Click OK to save the configuration file.

View Diff button will appear next to Apply, once audit log settings have been applied successfully.
6. Click View Diff to view applied configuration changes to Local-Fortigate by wizard.
7. Click Close.
8. Click Run Now to get the new Security Rating Scores.

DO Exercise
NOT3: Running
REPRINT
Security Rating Running Security Rating on Root Local-FortiGate
© FORTINET
9. Click Dashboard > Status.
10. Locate the Security Rating widget and notice the current rating.
You will notice the Security Rating widget displays information from the most recent security rating check.
When you run a Security Fabric rating, your organization's Security Fabric receives a
Security Fabric score. The score will be positive or negative, and a higher score
represents a more secure network. The score is based on how many checks your
network passes and fails, as well as the severity level of these checks.
You can repeat steps 3 to 7 for all other sections and devices to apply
recommendations, this will improve Security Fabric score.
Your security rating scores might not match what's shown in the example.

DO NOT REPRINT
© FORTINET
Lab 3: Firewall Policies
In this lab, you will configure firewall policies on Local-FortiGate and perform various tests on the Local-Windows
VM, to confirm that traffic is matching the desired firewall policies based on the configuration.
Objectives
l Configure firewall objects and firewall policies
l Configure source and destination matching in firewall policies
l Apply service and schedule objects to a firewall policy
l Configure firewall policy logging options
l Reorder firewall policies
l Read and understand logs
l Use policy lookup to find a matching policy
Time to Complete
Prerequisites
Before beginning this lab, you must restore configuration files to the Remote-FortiGate,ISFW, and Local-
FortiGate.

3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > Firewall-Policies > remote-initial.conf, and then
click Open.
5. Click OK.

DO Lab
NOT REPRINT
3: Firewall Policies
© FORTINET
To restore the ISFW configuration file
1. On the Local-Windows VM, open a browser and log in to the ISFW GUI at 10.0.1.200 with the user name

4. Click Desktop > Resources > FortiGate-Security > Firewall-Policies > ISFW-initial.conf, and then
click Open.
5. Click OK.


4. Click Desktop > Resources > FortiGate-Security > Firewall-Policies > local-firewall-policy.conf,
and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Creating Firewall Address Objects and Firewall
Policies
In this exercise, you will configure firewall address objects. You will also configure an IPv4 firewall policy to which
you will apply firewall address objects along with schedule, services, and log options. Then, you will test the
firewall policy by passing traffic through it and checking the logs for your traffic.
At its core, FortiGate is a firewall, so almost everything that it does to your traffic is related to your firewall
policies.
Create Firewall Address Objects
By default, FortiGate has many preconfigured, well-known address objects in the factory default configuration.
However, if those objects don’t meet the needs of your organization, you can configure more.
To create a firewall address object

2. Click Policy & Objects > Addresses.
3. Click Create New > Address.
Field Value
Name LOCAL_SUBNET
Type Subnet
Subnet / IP Range 10.0.1.0/24
Interface any
5. Click OK.
Create a Firewall Policy
First, you will disable the existing firewall policy. Then, you will create a more specific firewall policy using the
firewall address object that you created in the previous procedure. You will also select specific services and
configure log settings.

DO Exercise
NOT1: Creating
REPRINT
Firewall Address Objects and Firewall Policies Create a Firewall Policy
© FORTINET
To disable an existing firewall policy
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Right-click the Full_Access firewall policy from the ID column and click Edit.
3. Turn off the radio button for Enable this policy to disable the policy and click OK.
To create a firewall policy

1. Continuing in the Policy & Objects > IPv4 Policy section, click Create New to add a new firewall policy.
Field Value
Name Internet_Access
Incoming Interface port3
Outgoing Interface port1
Source LOCAL_SUBNET
Destination all
Schedule always
Service ALL_ICMP, HTTP, HTTPS, DNS, SSH
Tip: On right side of the screen, type the name in the search box, and
then click on services to add.
Action ACCEPT
NAT <enable>
Log Allowed Traffic <enable> and select All Sessions
Generate Logs when Session <enable>

Starts
Enable this policy <enable>
3. Leave all other settings at their default values and click OK to save the changes.
When creating firewall policies, remember that FortiGate is a stateful firewall. As a

result, you need to create only one firewall policy that matches the direction of the
traffic that initiates the session.

DO Test
NOT REPRINT
the Firewall Policy and View Generated Logs Exercise 1: Creating Firewall Address Objects and Firewall Policies
© FORTINET
Test the Firewall Policy and View Generated Logs
Now that you have configured the firewall policy, you will test it by passing traffic through it and viewing the
generated logs.
To test and view logs for a firewall policy

1. On the Local-Windows VM, open several web browser tabs and connect to several external web sites such as:
l www.google.com
l kb.fortinet.com
l docs.fortinet.com
l www.bbc.com
2. Return to your browser tab with the Local-FortiGate GUI, and click Policy & Objects > IPv4 Policy.
3. Right-click the ID column of the Internet_Access policy.
4. Click Show Matching Logs.
5. Identify the log entries for your Internet browsing traffic.

With the current settings, you should have many log messages that have Accept: session start in the
Result column. These are the session start logs.
When sessions close, you will have a separate log entry for the amount of data sent and received.

DO Exercise
NOT1: Creating
REPRINT
Firewall Address Objects and Firewall Policies Test the Firewall Policy and View Generated Logs
© FORTINET
Enabling Generate Logs when Session Starts in the firewall policy will generate
twice the amount of log messages. You should use this option only when this level of
detail is absolutely necessary.
When you click Show Matching Logs in the firewall policy, it adds the Policy UUID
filter in forward traffic logs.
6. In the Forward Traffic logs, click X to remove the Policy UUID filter.
When you remove the Policy UUID filter, the logs show unfiltered. You will use the logs in upcoming labs.
7. Close all other browser tabs except the Local-FortiGate GUI.

DO NOT REPRINT
© FORTINET
Exercise 2: Reordering Firewall Policies and Firewall
Policy Actions
In the applicable interface pair’s section, FortiGate will look for a matching policy, beginning at the top. Usually,
you should put more specific policies at the top; otherwise, more general policies will match the traffic first, and
your more granular policies will never be applied.
In this exercise, you will create a new firewall policy with more specific settings such as source, destination,
service, and action set to DENY. Then, you will move this firewall policy above the existing firewall policies and
observe the behavior created by the firewall policy reordering.
You will create a new firewall policy to match a specific source, destination, service, and action set to DENY.
The firewall address LINUX_ETH1 with IP/Netmask 10.200.1.254/32 is

preconfigured for you, and you will use this address when you create the firewall
policy.

Configure a firewall policy on Local-FortiGate GUI using the following settings:
l Name the firewall policy Block_Ping.

l Incoming interface: port3, Outgoing interface: port1
l Block all ping traffic from the 10.0.1.0/24 subnet destined for the 10.200.1.254 address. Use the
preconfigured address objects LOCAL_SUBNET and LINUX_ETH1.
l Enable log violation traffic.
After you have performed these steps, see Test the Reordering of a Firewall Policy on page 59.

2. Click Policy & Objects > IPv4 Policy, and then click Create New.

DO Exercise
NOT2: Reordering
REPRINT Firewall Policies and Firewall Policy Actions Test the Reordering of a Firewall Policy
© FORTINET
Field Value
Name Block_Ping
Source LOCAL_SUBNET
Destination LINUX_ETH1
Schedule always
Service PING
Tip: Type the name in the search box on the right-hand side and click on
services to add.
Action DENY
Log Violation Traffic <enable>
Enable this policy <enable>
Test the Reordering of a Firewall Policy
Now that your configuration is ready, you will test it by moving the Block_Ping firewall policy above the
Internet_Access firewall policy. The objective is to confirm that, after reordering the firewall policy, the following
occurs:
l Traffic is matched to a more specific firewall policy

l The policy ID remains same
To confirm traffic matches a more granular firewall policy after reordering the firewall policy
1. Continuing on the Local-Windows VM, open a command prompt.
2. Ping the destination address (LINUX_ETH1) that you configured in the Block_Ping firewall policy.
ping –t 10.200.1.254
Stop and think!

Why are you still able to ping the destination address, even though you just configured a policy to block it?
The ping should still work because it matches the ACCEPT policy and not the DENY policy that you created.
The Block_Ping policy was never checked, because the traffic matched the policy at the top (Internet_
Access). This demonstrates the behavior that FortiGate will look for a matching policy, beginning at the
top.

DO Test
NOT REPRINT
the Reordering of a Firewall Policy Exercise 2: Reordering Firewall Policies and Firewall Policy Actions
© FORTINET
3. Leave the command prompt window open and running.
4. Return to your browser where you are logged in to the Local-FortiGate GUI.
5. In Policy & Objects > IPv4 Policy, note the current ID values for both the Internet_Access and Block_Ping
firewall policies.
6. From the ID column, drag the Block_Ping firewall policy and drop it above the Internet_Access firewall policy.
When you move the Block_Ping policy up, the ID value remains the same.
7. Return to the command prompt window that is running the continuous ping.
You should see that the traffic is now blocked and the replies appear as Request timed out.
Stop and think!

Why is the traffic now blocked?
This demonstrates the outcome of the policy reordering. After moving the more granular policy above the
general access policy, the traffic is matched to the more granular policy and, based on the action DENY, the
traffic stops processing.
8. Close the command prompt window.

DO NOT REPRINT
© FORTINET
Exercise 3: Applying ISDB Objects as Destinations
FortiGate can match the traffic using address objects or Internet service database (ISDB) objects as destinations.
ISDB objects are predefined entries that are regularly updated by FortiGuard and contains a database of IP
addresses, protocols, and port numbers used by the most common Internet services.
ISDB objects can be used to allow or deny traffic to well-known Internet destinations, without worrying about
configuring IP addresses, protocols, or ports used by those destinations in the firewall policy.
In this lab, you will apply an ISDB object as a destination criteria on a firewall policy to block traffic to a well-known
Internet service.
Review the Internet Service Database
You will now review the entries in the Internet service database.
To review the Internet service database

2. Click Policy & Objects > Internet Service Database.
3. Double-click any entry.
You will see the corresponding IP addresses, ports, and protocols used by that Internet service.
4. Click Return.
Configure a Firewall Policy Destination as an ISDB Object
Now, you will now modify an existing firewall policy and use an ISDB object as a destination.
To configure a destination as an Internet service

2. Right-click the ID column for the Block_Ping firewall policy, and click Edit.
3. Change the Name to Block_Facebook.
4. Click Destination and in the right pane, click LINUX_EHT1 to clear it.
5. Click Internet Service.
6. Select Facebook.Web.
Type the name in the search box and click a service to add it.

DO Test
NOT REPRINT
the Internet Service Firewall Policy Exercise 3: Applying ISDB Objects as Destinations
© FORTINET
When Internet Service is selected as the Destination, you cannot:
l Use Address in the Destination

l Select Service in the firewall policy
7. Click OK.
Test the Internet Service Firewall Policy
Now that you have configured the firewall policy, you will test it by passing traffic through it.
To test the Internet service firewall policy

1. Continuing on the Local-Windows VM, open few browser tabs and go to the following websites:
l www.facebook.com
l www.twitter.com

DO Exercise
NOT3: Applying
REPRINT
ISDB Objects as Destinations Test the Internet Service Firewall Policy
© FORTINET
Stop and think!
Why is Facebook blocked but Twitter is allowed?
FortiGate checks for the matching policy from top to bottom. Facebook is blocked by ID 4 firewall policy
because the destination is set to Facebook-Web. Twitter is allowed by ID 3 firewall policy, which allows
Internet access.
2. Return to the browser where you are logged into the Local-FortiGate GUI, and right-click the ID column for the
Block_Facebook firewall policy and click Edit.
3. Turn off the radio button for Enable this policy to disable the policy and click OK.
4. Close all browser tabs except for the Local-FortiGate GUI.

DO NOT REPRINT
© FORTINET
Exercise 4: Using Policy Lookup
FortiGate can find a matching firewall policy based on the policy lookup input criteria. The policy lookup feature
basically creates a packet flow over FortiGate without real traffic. From this packet flow, FortiGate can extract a
policy ID and highlight it on the GUI policy configuration page.
In this lab, you will use the policy lookup feature to find a matching firewall policy based on input criteria.
Enable Existing Firewall Policies
As required in the previous exercises, most of the configured firewall policies are currently disabled. Now, you will
enable some of the existing firewall policies.

On Local-FortiGate GUI, enable the Policy Status for the Fortinet and Full_Access firewall policies.
After you have performed these steps, see Set Up and Test the Policy Lookup Criteria on page 64.
To enable existing firewall policies

2. Click Policy & Objects > IPv4 Policy.
3. Right-click the ID column for the Fortinet firewall policy and click Edit.
4. Turn on the radio button for Enable this policy to enable the policy and click OK.
5. Right-click the ID column for the Full_Access firewall policy and click Edit.
Set Up and Test the Policy Lookup Criteria
Now, you will set up the policy lookup criteria. FortiGate will search and highlight the matching firewall policy
based on your input criteria.
To set up and test the policy lookup criteria

1. Continuing on the Local-FortiGate GUI click Policy & Objects > IPv4 Policy, and then click Policy Lookup.

DO Exercise
NOT4: REPRINT
Using Policy Lookup Reorder the Firewall Policies
© FORTINET
Field Value
Source Interface port3
Protocol TCP
Source 10.0.1.100
Source Port <Leave it empty>
Destination fortinet.com
Destination Port 443
3. Click Search.
The search will match the Full_Access policy, but not the more specific firewall policy, Fortinet.
In the search criteria, the source address is set to 10.0.1.100. This source address is not a part of the
Fortinet firewall policy; therefore, the search does not match the Fortinet firewall policy.
When FortiGate is performing a policy lookup, it does a series of checks on ingress,

stateful inspection, and egress for the matching firewall policy. It performs the checks
from top to bottom, before providing results for the matching policy.
4. Click Policy Lookup, and then change the Source to 10.0.1.10.

Make sure all the other settings match the settings you used in step 2.
5. Click Search.
This time, the search matches the Fortinet firewall policy, in which the destination is set to FQDN.
Reorder the Firewall Policies
Now you will reorder the firewall policies. You will move the Block_Facebook firewall policy above the Full_
Access policy.

On Local-FortiGate GUI, move the Block_Facebook firewall policy above the Full_Access policy.
After you have performed these steps, see Retest Policy Lookup After Reordering the Firewall Policies on
page 66.

DO Retest
NOT REPRINT
Policy Lookup After Reordering the Firewall Policies Exercise 4: Using Policy Lookup
© FORTINET
To reorder the firewall policies
2. From the ID column, drag the Block_Facebook firewall policy above the Full_Access firewall policy.
The order of your firewall policies should match the following example:
Retest Policy Lookup After Reordering the Firewall Policies
Now, you will test the policy lookup feature after reordering the firewall policies.
To retest the policy lookup after reordering the firewall policies

1. Continuing on the Local-FortiGate GUI click Policy & Objects > IPv4 Policy, and then click Policy Lookup.
2. Set the following values:
Field Value
Source Interface port3
Protocol TCP
Source 10.0.1.10
Destination facebook.com
Destination Port 443
3. Click Search.
Stop and think!

Why did the search not match the more specific policy, Block_Facebook?
When FortiGate is performing a policy lookup, it skips all disabled policies.
The search will match the Full_Access policy, but not the more specific policy, Block_Facebook,
because it is disabled.

DO Exercise
NOT4: REPRINT
Using Policy Lookup Retest Policy Lookup After Reordering the Firewall Policies
© FORTINET
4. Right-click the ID column of the Block_Facebook policy and click Edit.
6. Click Policy Lookup.
7. Click Search.
This time the search matches the more specific policy, Block_Facebook.

DO NOT REPRINT
© FORTINET
Lab 4: NAT
Network address translation (NAT) is used to perform source NAT (SNAT) and destination NAT (DNAT) for the
traffic passing through FortiGate. There are two ways to configure SNAT and DNAT:
l Firewall policy NAT

l Central NAT
In this lab, you will configure and test firewall policy NAT for SNAT using IP pool, and for DNAT using virtual IP
(VIP).
You will configure and test SNAT using the central SNAT policy and DNAT using the DNAT policy and VIPs.
Objectives
l Configure destination NAT settings using a VIP
l Configure the source NAT settings using overload IP pools
l Configure a central NAT policy for the source NAT
l Configure DNAT and VIPs for the destination NAT
Time to Complete
Prerequisites
Before starting the procedures in this lab, you must restore a configuration file on each FortiGate.
Make sure to restore the correct configuration in each FortiGate using the following


DO Lab
NOT 4: NAT REPRINT
© FORTINET

4. Click Desktop > Resources > FortiGate-Security > NAT > remote-nat.conf, and then click Open.
5. Click OK.


4. Click Desktop > Resources > FortiGate-Security > NAT > local-nat.conf, and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Accessing Through VIPs
VIP addresses are typically used to translate external or public IP addresses to internal or private IP addresses.
In this exercise, you will configure a VIP address for the Local-Windows VM. Then, you will create an egress-to-
ingress firewall policy and apply a VIP address. This will allow Internet connections to the Local-Windows VM.
You will also verify the DNAT and SNAT behavior using CLI commands.
Create a VIP
On FortiGate, a VIP is a DNAT, which you can select only in a firewall policy’s destination address field.
In this procedure, you will configure the VIP to map the Local-Windows VM (10.0.1.10) to 10.200.1.200,
which is a part of the port1 subnet. You can refer to the lab Network Topology on page 9 diagram.
To create a VIP
2. Click Policy & Objects > Virtual IPs.
3. Click Create New, and then select Virtual IP.
Field Value
Name VIP-INTERNAL-HOST
Interface port1
(port1 is connected to the Internet with IP address 10.200.1.1/24.)
External IP address/range 10.200.1.200
(This is the IP address in the same range as the port1 subnet.)
Mapped IP address/range 10.0.1.10

DO Exercise
NOT1: Accessing
REPRINTThrough VIPs Create a Firewall Policy
© FORTINET
5. Click OK.
You will configure a new firewall policy using the VIP that you just created as the destination address.

Field Value
Name Web-Server-Access
Source all
Destination VIP-INTERNAL-HOST
Tip: Listed under the Virtual IP section
Schedule always
Service HTTP, HTTPS
Tip: In right pane, type the name in the search box, and then click
Services to add.
Action ACCEPT

DO Test
NOT the VIPREPRINT
Firewall Policy Exercise 1: Accessing Through VIPs
© FORTINET
4. In the Firewall / Network Options section, turn off the NAT.
5. In the Logging Options section, turn on Log Allowed Traffic , and then select All Sessions.
6. Click OK.
Test the VIP Firewall Policy
Now that you've configured a firewall policy with the VIP address as the destination, you can test your VIP by
accessing it from the Remote-Windows VM, which is behind the Remote-FortiGate internal network. Traffic is
routed from the Remote-FortiGate to the Local-FortiGate by a Linux machine, which acts as a router between
these two FortiGate devices. For more information, see Network Topology on page 9.
You will also test how the source address is translated by the VIP when traffic is leaving from the Local-Windows
VM.
To test VIPs (DNAT)

1. On the Remote-Windows VM, open a web browser and go to the following URL:
http://10.200.1.200
If the VIP operation is successful, a simple web page opens.

DO Exercise
NOT1: Accessing
REPRINTThrough VIPs Test the SNAT
© FORTINET
2. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
3. At the login prompt, enter the user name admin and password password.
4. Enter the following command to check the destination NAT entries in the session table:
get system session list
Sample output:
Local-FortiGate# get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 3594 10.200.3.1:49478 - 10.200.1.200:80 10.0.1.10:80
You will notice that the destination address 10.200.1.200 is translated to 10.0.1.10, which is the
mapping you configured in the VIP.
Test the SNAT
As a result of the VIP (which is a static NAT), all translated outgoing connections from the Local-Windows VM (IP
address 10.0.1.10) will use the VIP address to SNAT for the ingress-to-egress firewall policy and not the
egress interface IP address.
To test SNAT
1. Continuing on Local-Windows, return to the Local-FortiGate PuTTY session and run the following command to
clear any existing sessions:
diagnose sys session clear
The CLI command diagnose sys session clear will clear all sessions
including SSH session you created using PuTTY. This is expected behavior.

DO Test
NOT REPRINT
the SNAT Exercise 1: Accessing Through VIPs
© FORTINET
The firewall is stateful, so any existing sessions will not use this new firewall policy
until they time out or are cleared for ingress-to-egress traffic.
This clears the session to the Local-FortiGate from the Local-Windows VM.
2. Close the PuTTY window.

3. Open a web browser tab and connect to a few websites, for example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
4. Open PuTTY, and connect over SSH to the LOCAL-FORTIGATE saved session.
6. Run the following command to view the session information:
Sample output:
The outgoing connections from the Local-Windows VM are now being translated with
the VIP address 10.200.1.200, instead of the firewall egress interface IP address
(10.200.1.1).
This is a behavior of the SNAT VIP. That is, when you enable SNAT on a policy, a VIP static NAT takes
priority over the destination interface IP address.
7. Close the PuTTY session.

8. Close all browser tabs except the Local-FortiGate GUI.

DO NOT REPRINT
© FORTINET
Exercise 2: Using Dynamic NAT with IP Pools
IP pools are used to translate the source address to an address from that pool, rather than the egress interface
address.
Currently, the Local-FortiGate translates the source IP address of all traffic generated from the Local-Windows
VM to 10.200.1.200 because of the SNAT translation in the VIP.
In this exercise, you will create an IP pool, apply it to the ingress-to-egress firewall policy, and verify the SNAT
address using CLI commands.
Create an IP Pool
In this procedure, you will create an IP pool from the range of public IP addresses available on the egress port
(port1).
To create an IP pool
2. Click Policy & Objects > IP Pools.
3. Click Create New and configure the following settings:
Field Value
Name INTERNAL-HOST-EXT-IP
Type Overload
External IP Range/Subnet 10.200.1.100 - 10.200.1.100
4. Click OK.
Edit a Firewall Policy to Use the IP Pool
Now, you will apply the IP pool to change the behavior from static NAT to dynamic NAT on the ingress-to-egress
firewall policy.

DO Test
NOT REPRINT
Dynamic NAT with IP Pools Exercise 2: Using Dynamic NAT with IP Pools
© FORTINET
To edit the firewall policy
3. In the Firewall / Network Options section, configure the following settings:
Field Value
NAT <enable>
IP Pool Configuration Use Dynamic IP Pool
4. Click the + that appeared when you clicked Use Dynamic IP Pool, and from the right pane, click INTERNAL-
HOST-EXT-IP.
Your configuration will look similar to the following example:
5. Click OK.
Test Dynamic NAT with IP Pools
Now that your configuration is ready, you can test dynamic NAT with IP pools by browsing to a few external sites
on the Internet. If successful, you will see that the Local-Windows VM IP address (10.0.1.10) is translated to
the IP pool address of 10.200.1.100.
To test dynamic NAT with IP pools

1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved
session.
3. Run the following command to clear any existing sessions:

DO Exercise
NOT2: Using
REPRINT
Dynamic NAT with IP Pools Test Dynamic NAT with IP Pools
© FORTINET
The CLI command diagnose sys session clear will clear all sessions,
including the SSH session you created using PuTTY. This is expected behavior.
The firewall is stateful, so any existing sessions will not use this updated firewall policy
until they time out or are cleared for ingress-to-egress traffic.

5. Open several browser tabs and connect to a few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
6. Open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
8. Run the following command to verify the source NAT IP address that those sessions are using:
Sample output:
Notice that the SNAT address is now 10.200.1.100, as configured in the IP pool, and the IP pool has
overridden the static NAT VIP.
9. Close PuTTY.

DO NOT REPRINT
© FORTINET
Exercise 3: Configuring Central SNAT
A central SNAT policy is applied to multiple firewall policies, based on a configured central rule.
In this exercise, you will configure a central SNAT policy and test it.
Prerequisites
Before beginning this lab, you must restore a configuration for central NAT to Local-FortiGate.
Make sure to restore the correct configuration for Local-FortiGate using the following
steps. Failure to restore the correct configuration on Local-FortiGate will prevent you


4. Click Desktop > Resources > FortiGate-Security > NAT > local-central-nat.conf, and then click
Open.
5. Click OK.

DO Exercise
NOT3: Configuring
REPRINT Central SNAT Configure Central SNAT Policy
© FORTINET
When enabling central NAT, you must remove VIP and IP pool references from the
existing firewall policies first.
For example, you will see the following error if you try to enable central NAT without
removing VIP and IP pool references from the existing firewall policies.
To prevent this error from occurring during this exercise, the VIP and IP pool
references must be removed from the firewall policies.
1. The IP pool has been removed from the Full_Access firewall policy (policy ID 1),
and the VIP address has been removed from the Web-Server-Access firewall
policy (policy ID 2), because central NAT can be enabled only if none of the firewall
policies have IP pool and VIP addresses associated with them.
2. The VIP object you added in a previous exercise to test the firewall policy source
NAT has been removed.
3. Central-NAT is enabled.
You will notice all the above mentioned changes once you have loaded
local-central-nat.conf in the firewall.
Configure Central SNAT Policy
In this procedure, you will configure a central SNAT policy using the IP pool you created in the previous exercise.
To review IP pool configuration

2. Click Policy & Objects > IP Pools.
3. Review the settings of INTERNAL-HOST-EXT-IP.
To configure a central NAT policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Central SNAT.
Field Value
Source address all
Destination address all

DO Review
NOT the REPRINT
Firewall Policy Exercise 3: Configuring Central SNAT
© FORTINET
Field Value
NAT <enable>
Click + and select INTERNAL-HOST-EXT-IP
Protocol ANY
3. Keep the default values for the remaining settings and click OK to save the changes.
NAT is enabled on the central SNAT policy.
If no central SNAT or matching central SNAT rule exists, FortiGate creates session
using the original source IP address and no NAT will be applied.
Review the Firewall Policy
In this procedure, you will review the firewall policy.
To verify that NAT is enabled on firewall policy

3. Review the Firewall / Network Options of the Full_Access policy.

DO Exercise
NOT3: Configuring
REPRINT Central SNAT Test Central SNAT
© FORTINET
There is no option for enabling NATor using IP pools. In central SNAT, NAT on the
SNAT policy controls whether the NAT is used or not.
4. Click Cancel.
Test Central SNAT
Now that your configuration is ready, you can test the behavior of the central SNAT policy.
To test central SNAT

3. Run the following command to clear the existing sessions:
The CLI command diagnose sys session clear will clear all sessions,
including the SSH session you created using PuTTY. This is expected behavior.

5. Open multiple browser tabs and connect to a few websites. For example:

DO Create
NOT REPRINT
a Second IP Pool Exercise 3: Configuring Central SNAT
© FORTINET
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
8. Run the following command to verify the SNAT IP address that those sessions are using:
Sample output:
Notice that the SNAT address is now 10.200.1.100, which matches the IP Pool configured in central
SNAT policy.
9. Close PuTTY.
Create a Second IP Pool
Now you will create a second IP Pool, which you will use later when creating a second central SNAT policy.

On the Local-FortiGate GUI, create a second IP Pool named SNAT-Pool with IP range 10.200.1.50 -
10.200.1.50 and the type as Overload.
After you complete the challenge, see Create a Second SNAT Policy on page 83

DO Exercise
NOT3: Configuring
REPRINT Central SNAT Create a Second SNAT Policy
© FORTINET
To create a second IP Pool
1. On the Local-FortiGate GUI, click Policy & Objects > IP Pools.
Field Value
Name SNAT-Pool
Type Overload
External IP Range 10.200.1.50 - 10.200.1.50
3. Click OK.
Create a Second SNAT Policy
Now you will create a more granular SNAT policy by selecting a specific destination address and protocol to
match specific traffic.

On the Local-FortiGate GUI, create a second SNAT policy for REMOTE_FORTIGATE as a destination to
allow only the TCP protocol using SNAT_Pool for traffic from port3 to port1.
After you complete the challenge, see Reorder Central SNAT Policies on page 84
To create second SNAT policy

Field Value
Source address all
Destination address REMOTE_FORTIGATE
NAT <enable>

DO Reorder
NOTCentral
REPRINT
SNAT Policies Exercise 3: Configuring Central SNAT
© FORTINET
Field Value
Click + and select SNAT-Pool
Protocol TCP
3. Click OK.
Reorder Central SNAT Policies
Now you will reorder the central NAT policies to put the more granular rule at the top.
Similar to firewall policies, a central SNAT policy is processed from top to bottom and, if a match is found, the
source address and source port translate based on that central SNAT policy.
To reorder central SNAT policies

2. Click ID column to drag the newly created central SNAT policy above the previously created central SNAT policy.
Test Central SNAT
Now that your configuration is ready, you will test the central SNAT configuration.

DO Exercise
NOT3: Configuring
REPRINT Central SNAT Test Central SNAT
© FORTINET
To test central SNAT
3. Run the following command to clear the existing sessions:

5. Open a new browser tab and log in to the Remote-FortiGate GUI at 10.200.3.1with the user name admin and
password password.
6. Open a command prompt and run a continuous ping to the Remote-FortiGate IP.
ping -t 10.200.3.1
9. Run the following command:
Notice that the TCP sessions to destination 10.200.3.1 are translated to 10.200.1.50, because that
address matches the central SNAT policy.
Sample output:
ICMP sessions to destination 10.200.3.1 are translated to 10.200.1.100, which matches the central
SNAT policy at the bottom.
Sample output:
10. Open several browser tabs and connect to a few websites. For example:

DO Test
NOT CentralREPRINT
SNAT Exercise 3: Configuring Central SNAT
© FORTINET
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
11. Return to LOCAL-FORTIGATE PuTTY session.
12. Run the following command:
Also, other TCP sessions to different destinations are translated to 10.200.1.100, based on the matching
central SNAT policy at the bottom.
A central SNAT policy is processed from top to bottom, similar to firewall policies.
13. Close the command prompt and PuTTY.


DO NOT REPRINT
© FORTINET
Exercise 4: Configuring and Testing DNAT and VIPs
In firewall policy NAT, a VIP is selected in the firewall policy as the destination address. In central NAT, when you
configure DNAT and VIPs, FortiGate automatically creates a rule in the kernel to allow DNAT to occur, and no
additional configuration is required.
In this exercise, you will configure and test the behavior of central DNAT.
Create DNAT and VIPs
In this procedure, you will configure DNAT and VIPs.
To create DNAT and VIPs

2. Click Policy & Objects > DNAT & Virtual IPs.
3. Click Create New, and then select DNAT & Virtual IP.
Field Value
Name Central-DNAT
Interface port1
Type Static NAT (default setting)
External IP address/range 10.200.1.150
Mapped IP address/range 10.0.1.10
5. Click OK.

DO Verify
NOT REPRINT
the Firewall Policy Settings Exercise 4: Configuring and Testing DNAT and VIPs
© FORTINET
Verify the Firewall Policy Settings
Now, you will verify the firewall policy settings for the egress-to-ingress firewall policy.
To verify the firewall policy settings

2. Right click the ID column of the Web-Server-Access firewall policy, and then click Edit.
3. Review the settings of the firewall policy.
4. Try to select the DNAT & Virtual IPs address in the firewall destination address.
You will be not able to do so.
You can't select VIPs previously created in a firewall policy as a destination address.
As soon as a VIP object is created, FortiGate automatically creates a rule in the kernel
for DNAT to occur.
5. Scroll to the bottom of the page and ensure that Enable this policy is enabled.
6. Click OK.
Test DNAT and VIPs
In this procedure, you will test DNAT and VIPs by accessing the Local-Windows VM.
To test DNAT and VIPs

1. On the Remote-Windows VM, open a web browser and access the following URL:
If the VIP operation is successful, a simple web page opens.

5. Run the following command to check the destination NAT entries in the session table:
Sample output:

DO Exercise
NOT4: Configuring
REPRINT and Testing DNAT and VIPs Test DNAT and VIPs
© FORTINET
6. Open additional web browser tabs and try to access few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
7. Return to the Local-FortiGate PuTTY session and verify the SNAT IP address those sessions are using:
Sample output:
Notice that the SNAT address is still 10.200.1.100, as configured in the central SNAT policy using IP
pool, and static DNAT and VIPs has not overridden central SNATpolicy. This behavior is similar to firewall
policy NAT.
If both the SNAT and DNAT are defined, the egress traffic will source NAT to the
matching SNAT policy address, as opposed to the configured DNAT and VIPs.
8. Close PuTTY.

DO NOT REPRINT
© FORTINET
Lab 5: Firewall Authentication
In this lab, you will configure FortiGate to communicate with a remote LDAP server for server-based password
authentication.
You will also configure captive portal, so that any user connecting to the network is prompted for their login
credentials (active authentication).
Objectives
l Configure server-based password authentication with an LDAP server
l Configure captive portal so users connecting to the network are forced to authenticate
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.


4. Click Desktop > Resources >FortiGate-Security > Firewall-Authentication > local-firewall-
authentication.conf, and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Remote Authentication
In this exercise, you will configure an LDAP server on FortiGate for remote authentication, create a remote
authentication group for remote users, and add that group as a source in a firewall policy.
Finally, you will authenticate as one of the remote users, and then monitor the login as the administrator.
Configure an LDAP Server on FortiGate
You can configure FortiGate to point to an LDAP server for server-based password authentication using the
preconfigured active directory (AD) service located on the Local-Windows VM. AD already has users available to
use in this lab.
To configure an LDAP server on FortiGate

2. Click User & Device > LDAP Servers, and then click Create New.
3. Configure a server using the following settings:
Field Value
Name ADserver
Server IP/Name 10.0.1.10
This is the IP address of the Windows Server, Local-Windows VM. For

more information, see Network Topology on page 9.
Server Port 389
This is the default port for LDAP.
Common Name Identifier cn
This is the attribute name used to find the user name. AD calls this cn.
Distinguished Name ou=Training,dc=trainingAD,dc=training,dc=lab
This is the domain name for AD on the Windows Server. AD has already
been preconfigured, with all users located in the Training organizational
unit (ou).
Bind Type Regular
Username ADadmin
We are using the credentials of an AD user called ADadmin to

authenticate to AD. ADadmin is located in the Users ou.

DO Assign
NOT REPRINT
an LDAP User to a Firewall Group Exercise 1: Configuring Remote Authentication
© FORTINET
Field Value
Password Training!
This is the password pre-configured for the ADadmin user. You must use it
to be able to bind.
4. Click Test Connectivity.

You should see a message indicating that the connection was successful.
5. Click OK.
Assign an LDAP User to a Firewall Group
Now, you will assign an LDAP user group (AD-users) that includes two users (aduser1 and aduser2) to a firewall
user group called Remote-users on FortiGate. By doing this , you will be able to configure firewall policies to act
on the firewall user group.
Usually, groups are used to more effectively manage individuals who have a shared relationship.
The Remote-users firewall group is preconfigured for you. However, you must modify
it to add the users from the remote LDAP server you configured in the previous
procedure.

On Local-FortiGate (10.0.1.254), assign the Active Directory user group called AD-users to the
FortiGate firewall user group called Remote-users.
After you have completed this exercise, see Configuring Remote Authentication on page 91.
To assign a user to a user group

1. Continuing on the Local-FortiGate GUI, click User & Device > User Groups, and then edit the Remote-users
group.
Notice that it's currently configured as a firewall group.
2. To add users from the remote LDAP server, in the Remote Groups table, click Add.
The Add Group Match dialog box opens.

DO Exercise
NOT1: Configuring
REPRINT Remote Authentication Add the Remote User Group to Your Firewall Policy
© FORTINET
3. In the Remote Server drop-down list, select ADserver.

4. On the Groups tab, right-click AD-users, and then click Add Selected.
The AD-users group is disabled and has a green checkmark beside it, indicating it has been added.
5. Click OK.
The users in this AD group are now included in your FortiGate Remote-users firewall user group. Only users
from the remote LDAP server that match this user group entry can authenticate.
6. Click OK.
Add the Remote User Group to Your Firewall Policy
Now that the LDAP server is added to the Remote-users firewall user group, you can add the group to a firewall
policy. This allows you to control access to network resources, because policy decisions are made for the group as
a whole.

DO Authenticate
NOT REPRINT and Monitor Exercise 1: Configuring Remote Authentication
© FORTINET
To add the remote user group to your firewall policy
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy, and then double-click on the
existing port3 to port1 firewall policy.
Field Value
Source Remote-users (located under User)
3. In the Security Profiles section, enable Web Filter, and then select Category_Monitor.
This web filter was preconfigured and is set to block the following categories: Potentially Liable,
Adult/Mature Content, and partially blocking Security Risk.
4. In the Logging Options section, enable Log Allowed Traffic, and then select All Sessions.
5. Click OK.
To test whether aduser1 will be able to successfully authenticate

session.
3. Type the following command:
diagnose test authserver ldap <LDAP server name> <LDAP user name> <password>
Where:
l <LDAP server name> is ADserver (case-sensitive)

l <LDAP user name> is aduser1
l <password> is Training!
A message like the following example should appear to indicate that authentication was successful:
4. Close PuTTY.
Authenticate and Monitor
Now, you will authenticate through the a firewall policy as aduser1. This user is a member of the Remote_users
group on FortiGate. Then, you will monitor the authentication.

DO Exercise
NOT1: Configuring
REPRINT Remote Authentication Authenticate and Monitor
© FORTINET
To authenticate as a remote user
1. Continuing on the Local-Windows VM, open a new browser tab and go to elite-hackers.com.
You will be asked to log in to the network.
2. Click Open Network Login Page.

You will see a login prompt presented by FortiGate.
3. Log in as aduser1 with the password Training!.

This URL is set to be blocked by the web filter security profile you enabled in the firewall policy.
Notice that the blocked page displays a replacement message that includes useful information such as the
URL, category, user name, and the group name.
To monitor active captive portal authentications

1. Continuing on the Local-Windows VM, return to the browser tab where you are logged in to the Local-FortiGate
GUI as admin.
2. Monitor the firewall authenticated user. To view this login authentication, click Monitor > Firewall User
Monitor.
You will see aduser1 listed along with other information such as user group, IP address, etc.
3. Click on aduser1 user and click Deauthenticate.

DO Authenticate
NOT REPRINT and Monitor Exercise 1: Configuring Remote Authentication
© FORTINET
While the CLI config user setting dictates how long a user authenticating
through captive portal can remain authenticated, you can choose to manually revoke a
captive portal user's authentication by selecting the user in the Firewall User
Monitor list and clicking Deauthenticate. Once deauthenticated, the user disappears
from the list, because it is reserved for active users only.
4. Click OK in the confirm prompt.
This deauthenticates the user. The user must log in again to access the resources protected by the firewall
policy.
Remove User Group from Firewall Policy

Now, you need to remove the user group assigned on the firewall policy for authentication.
To remove the remote user group from your firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy, and then double-click the existing
port3 to port1 firewall policy.
2. Remove the user group from Source on the firewall policy.

DO Exercise
NOT1: Configuring
REPRINT Remote Authentication Authenticate and Monitor
© FORTINET
3. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Captive Portal
In this exercise, you will configure captive portal and restrict access to a specific user group. Captive portal is a
convenient way to authenticate web users on wired or WiFi networks using an HTML form that requests a user
name and password (active authentication).
This exercise involves creating a user group (and adding a user to it), enabling captive portal, restricting access
based on the user group group associated with captive portal, and enabling the disclaimer message.
Finally, you will authenticate through captive portal and monitor the authentication.
Create a User Group for Captive Portal
Because the goal is to enable captive portal based on a specific group, you must first create a user group and
then add a user to the group. For the purposes of this exercise, you will add the user student to the group. The
use student is a local user on FortiGate that was preconfigured.
To create a user group for captive portal

2. Click User & Device > User Groups, and then click Create New.
3. Create a captive portal user group using the following settings:
Field Value
Name CP-group
Type Firewall
Members student
4. Click OK.
Enable Captive Portal
Now, you will enable captive portal on a wired network.
To enable captive portal

1. Continuing on the Local-FortiGate GUI, click Network > Interfaces, and then edit port3.
This port handles incoming traffic. For more information, see Network Topology on page 9.
2. In the Admission Control section, enable captive portal using the following settings:

DO Exercise
NOT2: REPRINT
Configuring Captive Portal Enable the Disclaimer Message
© FORTINET
Field Value
Security Mode Captive Portal
Authentication Portal Local
User Access Restricted to Groups
User Groups CP-group
3. Click OK.
Enable the Disclaimer Message
To provide a disclaimer message to users who are logging in through captive portal, you must enable disclaimers.
Because you are enabling captive portal through a wired interface, you can enable disclaimers only using the CLI.
If you enable captive portal using WiFi, you can enable disclaimers using the GUI
(WiFi & Switch Controller > SSID ). You are using a wired interface in this lab.
To enable the disclaimer message

session.
3. Type the following commands:
config firewall policy

edit 1
set disclaimer enable
end
4. Close PuTTY.
Authenticate and Monitor
Now that captive portal is configured and the disclaimer is enabled, you can test the configuration by
authenticating through captive portal as the student user. Then, you will monitor the authentication as the
admin user.
To authenticate through captive portal

1. Continuing on the Local-Windows VM, open a new browser tab and go to a website, such as www.eicar.org.
2. When prompted, log in with the username student and password fortinet.

DO Authenticate
NOT REPRINT and Monitor Exercise 2: Configuring Captive Portal
© FORTINET
The Terms and Disclaimer Agreement dialog opens.
3. Click Yes, I agree.

After you agree to the terms, you are redirected to the website you originally requested.
4. Open additional browser tabs and access the website again websites through captive portal.
5. Leave all browser tabs open and continue to the next procedure.

DO Exercise
NOT2: REPRINT
Configuring Captive Portal Authenticate and Monitor
© FORTINET
To monitor active captive portal authentications
1. Continuing on the Local-Windows VM, return to the browser tab where you are logged in to the Local-FortiGate
GUI as admin.
2. Monitor the student user. To view this login authentication, click Monitor > Firewall User Monitor.
While the CLI config user setting dictates how long a user authenticating
through captive portal can remain authenticated, you can choose to manually revoke a
captive portal user's authentication by selecting the user in the Firewall User
Monitor list and clicking Deauthenticate. Once deauthenticated, the user disappears
from the list, because it is reserved for active users only.
3. Select student and click Deauthenticate to manually end the user's session.
4. Click OK.
5. Close the browser.

DO NOT REPRINT
© FORTINET
Lab 6: Logging and Monitoring
In this lab, you will configure log settings on Local-FortiGate, configure alert email, and view logs.
Objectives
l Configure logging on FortiGate so FortiGate understands how to log traffic
l Configure threat weight
l Monitor logs through alert emails
l View logs on the Local-FortiGate GUI
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate. After the reboot, you must also
check your web filter license status, because you will be using web filtering in this lab and it must show as
licensed.


4. Click Desktop > Resources > FortiGate-Security > Logging > local-logging.conf, and then click Open.
5. Click OK.

DO Lab
NOT REPRINT
6: Logging and Monitoring
© FORTINET
To check the web filter license status upon reboot
1. Continuing on the Local-Windows VM, log in to the Local-FortiGate GUI at 10.0.1.254 with the user name
2. Select Dashboard> Status, and in the Licenses widget, verify that there is a green check mark next to Web
Filtering, indicating the service is licensed and active.
3. Click System > FortiGuard.
4. Scroll to the bottom of the page, and then in the Filtering section, next to Filtering Services Availability, click
Check Again to force an update.
5. Click OK to confirm.
You should see a confirmation message indicating that the web filtering service is available.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Log Settings
To record network activity, you must configure logging on FortiGate. In this exercise, you will configure the log
settings.
Configure Log Settings
Configuring log settings does not generate logs directly on FortiGate. Rather, log settings define if, where, and
how a log is stored.
The objective of this exercise is to prepare the log settings on Local-FortiGate. For the purposes of this lab, this
includes:
l Enabling disk logging, so that logs are stored locally on FortiGate

l Enabling Historical FortiView, so that more than just real-time information is captured in the FortiView
dashboards
l Configuring event logging for all activity, to track and monitor events that occur on FortiGate
l Disabling Local Traffic logging, to prevent filling up your disk too quickly with traffic going directly to and from
FortiGate
l Configuring FortiGate to resolve hostnames, so that FortiGate performs reverse DNS lookups for all the IPs and
makes searching logs easier

Configure the log settings on Local-FortiGate (10.0.1.254 | admin / password) according to the
objective stated above.
After you complete the challenge, see Configure Threat Weight on page 106.
To configure the log settings

2. Click Log & Report > Log Settings.
3. In the Local Log section, enable the following:
Field Value
Disk <enable>
Enable Historical FortiView <enable>

DO Exercise
NOT1: Configuring
REPRINT Log Settings Configure Log Settings
© FORTINET
4. In the Log Settings section, make sure the following settings are configured:
Field Value
Event Logging All
Event logs provide all of the system information generated by the FortiGate
device (they are not caused by traffic passing through firewall policies).
However, it is good practice to track and monitor events that occur on
FortiGate.
Local Traffic Log Customize - with all traffic logging options cleared
These logs record traffic directly to and from FortiGate and can fill up your disk
quickly if not properly managed and monitored. For the purposes of this lab,
leave all checkboxes associated with local traffic log options, cleared.
5. In the GUI Preferences section, configure the following:
Field Value
Resolve Hostnames <enable>
Resolving hostnames requires FortiGate to perform reverse DNS lookups for

all the IPs and makes searching logs easier.
6. Click Apply.

DO Configure
NOTThreat REPRINT
Weight Exercise 1: Configuring Log Settings
© FORTINET
Configure Threat Weight
To prioritize solving the most relevant issues easily, you can configure severity levels for IPS signatures, web
categories, and applications that are associated with a threat weight (or score). Threat weight allows you to set
the risk values for low, medium, high, and critical levels, and then apply a threat weight to specific categories.
The objective of this task is to set the following categories to critical status:
l Malicious Websites
l Hacking
l Explicit Violence
l Pornography
You will use threat weight later, when searching for logs at a specific threat weight.
To configure threat weight

1. Continuing on the Local-FortiGate GUI, click Log & Report > Threat Weight.
2. In the Web Activity section, select the Critical option for the following categories:
3. In the Risk Level Values section, record the value associated with the Critical risk level.
You will use this information later to search for logs using the risk level value as a filter.
Risk Level Value
Critical
4. Click Apply.

DO NOT REPRINT
© FORTINET
Exercise 2: Enabling Logging on Firewall Policies
Now that you've defined if, where, and how a log is stored using the FortiGate log settings, you must define
whether logs are generated. To accomplish this, you must enable logging on your firewall policy. A log message
can generate only when logging is enabled on a firewall policy.
Enable Logging on a Firewall Policy
For the purposes of this lab, two firewall policies have been created for you. However, you will now need to
configure these firewall polices for logging.
The two firewall policies are:
l IPS: You will use this firewall policy to capture IPS traffic.
l Full Access: You will use this firewall policy to capture antivirus, web filter, DNS, and application control traffic.

On the Local-FortiGate GUI (10.0.1.254 | admin/password), configure logging for all sessions on
both the IPS and Full Access firewall policies. Enable the following security profiles:
IPS
l IPS | default
Full Access
l AntiVirus | default
l Web Filter | Category-block-and-warning
l DNS Filter | default
l Application Control | block-high-risk
After you complete the challenge, see Monitoring Logs Through Alert Email on page 110.
To enable logging on the IPS firewall policy

2. Click Policy & Objects > IPv4 Policy, and then edit the IPS firewall policy.

DO Enable
NOT REPRINT
Logging on a Firewall Policy Exercise 2: Enabling Logging on Firewall Policies
© FORTINET
3. In the Security Profiles section, configure the following:
Security Profiles Profile
IPS default
SSL Inspection certificate-inspection
Remember, you will not get logs of any kind if Log Allowed Traffic is not enabled.
5. Click OK.
You've successfully enabled logging on your firewall policy. Later in this lab, you will test these log settings.
To enable logging on the Full Access firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy, and then edit the Full Access
firewall policy.
2. In the Security Profiles section, configure the following:

DO Exercise
NOT2: Enabling
REPRINT
Logging on Firewall Policies Enable Logging on a Firewall Policy
© FORTINET
Security Profiles Profile
AntiVirus default
Web Filter Category-block-and-warning
DNS Filter default
Application Control block-high-risk
SSL Inspection certificate-inspection
Remember, you will not get logs of any kind if Log Allowed Traffic is not enabled.
4. Click OK.
You've successfully enabled logging on your firewall policy. Later in this lab, you will test these log settings.

DO NOT REPRINT
© FORTINET
Exercise 3: Monitoring Logs Through Alert Email
In this exercise, you will configure alert emails, run some traffic through Local-FortiGate, and view alert emails.
Configure Alert Emails
Because you can’t always be physically at the FortiGate device, you can monitor events by setting up alert
emails. Alert emails provide an efficient and direct method of notifying an administrator of events.
An SMTP mail server is required for alert email to operate. Because configuring a mail
server is out of scope for this lab,one has already been configured for you. You can
view the email service configuration on the Local-FortiGate GUI by clicking System >
Advanced.
To configure email alerts

2. Click Log & Report > Email Alert Settings.
3. Turn on the Enabled switch.
The page loads with configuration options.
4. In the Email Alert Settings section, configure the following:
Field Value
From [email protected]
To [email protected]
Alert parameter Events
Interval 1
5. In the Security section, enable the following:

l Intrusion detected
l Web Filter blocked traffic
6. Click Apply.
Generate Traffic
For the purposes of this lab, you must generate traffic so you can see the logs collected by FortiGate.

DO Exercise
NOT3: Monitoring
REPRINT Logs Through Alert Email Generate Traffic
© FORTINET
The traffic you generate will go through Local-FortiGate. You have already enabled
the security policy on the IPS firewall policy and enabled logging for all sessions.
You will use two different tools to create different types of traffic.
Generate Traffic Through FIT

The firewall inspection tester (FIT) program on the FIT VM generates web browsing traffic, application control,
botnet IP hits, malware URLs, and malware downloads.
In this lab, you will direct FIT-generated traffic through Local-FortiGate. The FIT is behind port3 on Local-
FortiGate. The traffic from FIT will go through the Full Access firewall policy. For more information, see
Network Topology on page 9.
You configured the Full Access firewall policy to include the following security policies and logging options:
Because FIT-generated traffic will originate from the IP of the FIT VM (10.0.1.20),
all these logs will show the same source IP in the logs. This is a limitation of the lab
environment. In a real-world scenario, you will likely see many different source IPs for
your traffic.
To generate traffic through FIT

1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the FIT saved session.
2. At the login prompt, enter student with the password password.

DO Generate
NOTTraffic
REPRINT Exercise 3: Monitoring Logs Through Alert Email
© FORTINET
3. Type the following commands:
cd FIT
./fit.py all --repeat
Traffic begins to generate and repeats the script each time it completes.
4. Leave the PuTTY session open (you can minimize it) so traffic continues to generate.
This will run throughout for the remainder of this lab.
Do not close the FIT PuTTY session or traffic will stop generating.
Generate Traffic Through Nikto

Nikto generates intrusion prevention system (IPS) traffic.
You will direct the Nikto-generated traffic through Local-FortiGate. Nitko is running on the Linux VM, and the
traffic will go through the egress to ingress firewall policy named IPS. For more information, see Network
Topology on page 9.
You configured the IPS firewall policy to include the following security policy and logging options:

DO Exercise
NOT3: Monitoring
REPRINT Logs Through Alert Email Generate Traffic
© FORTINET
Because Nikto-generated traffic will originate from the IP of the Linux VM where Nikto
is installed (10.200.1.254), all these logs will show the same source IP in the
FortiGate logs. This is a limitation of the lab environment. In a real-world scenario, you
will likely see many different source IPs for your traffic.
To generate traffic through Nikto

1. Continuing on the Local-Windows VM, open a second PuTTY application and connect over SSH to the LINUX
saved session.
2. Log in as student with password password.
3. Type the following command:
nikto.pl -host 10.200.1.10
The vulnerability scanning will result in traffic beginning to generate.
The scan will continue for approximately 25 minutes. The dialog displays an End Time and indication that 1
host is tested when complete.
You can run the command again after the scan completes (press the up arrow and then press Enter) to
generate more logs, but it's not required. One cycle will provide enough logs for the purposes of this lab.
This will run for the remainder of the lab.
Do not close the LINUX PuTTY session or traffic will stop generating.

DO View
NOT REPRINT
Alert Emails Exercise 3: Monitoring Logs Through Alert Email
© FORTINET
View Alert Emails
Now that traffic is being sent through your FortiGate, you can check the [email protected] email to see if any
alerts have been generated based on that traffic. You configured the alert email to generate an alert every one
minute any time an intrusion is detected by the IPS security profile on the IPS firewall policy, and any time the
web filter security profile blocks traffic on the Full Access firewall policy.
The log message that accompanies an alert provides more details about the traffic that caused the alert.
To view your alert emails

1. Continuing on Local-Windows, on the desktop, open Mozilla Thunderbird.
2. Select the inbox of the [email protected] email account and click Get Messages.
You should see a message in the admin inbox with a subject of "Message meets Alert condition". If no email
appears in the inbox, wait 30 seconds, and then click Get Messages again.
3. Open any alert email and review the log message.

As you can see, the log message is in raw format. In the web filter example below (you may receive a
different log message), the log message header provides the type (utm) and subtype (webfilter). The
log message body provides information about the web filter security profile that was applied to the traffic
(Category_block-and-warning), the action it took (blocked), and the category description of the
traffic (Malicious Websites).
4. Open another alert email and record the following information from a single web filter log:
Field Value
date
time
logid
subtype
level
sessionid

DO Exercise
NOT3: Monitoring
REPRINT Logs Through Alert Email View Alert Emails
© FORTINET
Field Value
profile
catdesc
crscore
You will locate this log on the Local-FortiGate GUI in the next exercise.
5. Select the email of the log you recorded by clicking the star icon to the left of the email subject.
The star icon turns yellow.
If you would like to review more alert emails, click Get Messages in your admin inbox
again. You configured your alert email to send messages that meet the alert condition
every one minute.
6. Close the Thunderbird email client when you are finished.

DO NOT REPRINT
© FORTINET
Exercise 4: Viewing Logs on the FortiGate GUI
In this exercise, you will view logs using both the Log & Report and FortiView menus on the Local-FortiGate
GUI. You will also configure filter options to locate specific logs.
View Logs from Log & Report Menu
In this exercise, you will examine the logs on the Local-FortiGate GUI, based on the traffic you generated from
the FIT VM and Nikto.
Forward Traffic
The first place you will examine logs is on the Forward Traffic page.
All security profile-related logs are tracked within the forward traffic logs, so you can search all forward traffic in
one place. This is helpful if you are looking to see all activity from a particular address, security feature, or traffic.
Security profile logs are still tracked separately in the GUI, but only appear when logs exist.
To view and filter forward traffic logs


DO Exercise
NOT4: Viewing
REPRINT
Logs on the FortiGate GUI View Logs from Log & Report Menu
© FORTINET
2. Click Log & Report > Forward Traffic.
3. To narrow down the logs (results), on the search bar, click Add Filter, and then add some filters. For example:
Filter Value
Date/Time Last 5 Minutes
This filters on all logs from the last 5 minutes.
Result Deny (all)
This filters on all blocked traffic.
Threat Score >=50
This filters on all Web activity greater than or equal to the Critical (50) risk
level.
Remember, you set Malicious Websites, Hacking, Explicit Violence, and

Pornography to the critical risk level.
If the information on which you are filtering does not appear in the table, you may
need to add the related column to the table. To do so, right-click any column in the
table and select the column you want to add. For example, to view the Threat Score
column, add Threat Score. At the bottom of the list, click Apply to refresh the table
with the new column.
4. Double-click the log you want to view.

The Log Details pane appears on the right side of the page.

DO View
NOT REPRINT
Logs from Log & Report Menu Exercise 4: Viewing Logs on the FortiGate GUI
© FORTINET
5. View both the Details and Security tabs to see what information is available.
Security Profile Logs

Now, you will examine the security profile logs, which are tracked separately on the GUI. The menu item for the
specific security profile only appears on the GUI if logs of that type exist.
To view web filter logs

1. Continuing on the Local-FortiGate GUI, click Log & Report > Web Filter.
If this menu item does not display, you can refresh the page, or log out of the Local-
FortiGate GUI and log in again.
2. Locate the log in the alert email that you recorded in To view your alert emails on page 114 by using log filters.

DO Exercise
NOT4: Viewing
REPRINT
Logs on the FortiGate GUI View and Filter IPS Logs
© FORTINET
Stop and think!
Which filter would best return the specific log you are seeking? For example, filters based on log subtype or
crscore would most likely return too many logs, making the search inefficient.
Answer: Session ID.
3. After you locate the log, double-click the entry to view the log details.
As you can see, the log details in the alert email are the same as the log details on the GUI. The only
difference is the format. Alert emails provide the log detail information in raw format, while the GUI provides
the log detail information in a formatted view.
View and Filter IPS Logs
In this exercise, you will view and filter IPS logs.

On the Local-FortiGate GUI (10.0.1.254), complete the following:
l View the GUI page that shows intrusion prevention logs only
l Filter for a log with the attack name Web.Server.Password.Files.Access
l View information about the attack on FortiGuard
After you complete the challenge, see View Logs in FortiView on page 120.
To view and filter IPS logs

1. Continuing on the Local-FortiGate GUI, click Log & Report > Intrusion Prevention.
2. Double-click any IPS log to view more information about an attack.
3. In the Log Details pane, under Intrusion Prevention, click the reference link.

DO View
NOT Logs inREPRINT
FortiView Exercise 4: Viewing Logs on the FortiGate GUI
© FORTINET
This takes you to the FortiGuard website, where you can gather more information about the specific attack,
such as the description of the attack, affected products, impact, and recommended actions.
4. After you finish, close the FortiGuard tab.
View Logs in FortiView
FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into
a single view on your FortiGate.
Now, you will view your logs in FortiView.
To view logs in FortiView

1. Continuing on the Local-FortiGate GUI, click FortiView > Web Sites.
By default, the search settings are set to display logs being created now. If no logs are being created
currently, the page will be blank. This is expected.
2. Use the search settings to display the web activity in a different way. For example:
l Click the table icon ( ), and select Bubble Chart.

l Use the Compare By drop-down menu to display the information by Threat Score, Sessions, Browsing
Time,or Bytes.

DO Exercise
NOT4: Viewing
REPRINT
Logs on the FortiGate GUI View Logs in FortiView
© FORTINET
Close both the FIT and LINUX PuTTY sessions to stop log generation.

DO NOT REPRINT
© FORTINET
Lab 7: Certificate Operations
In this lab, you will configure SSL deep inspection using a self-signed SSL certificate on FortiGate to inspect
outbound traffic. You will also import a web server certificate on FortiGate and configure inbound SSL inspection.
Objectives
l Configure and enable SSL deep inspection on outbound traffic
l Import an external web server certificate
l Configure and enable SSL deep inspection on inbound traffic
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file on each FortiGate.


4. Click Desktop > Resources > FortiGate-Security > Certificate-Operations > remote-certificate-
operations.conf, and then click Open.

DO Lab
NOT REPRINT
7: Certificate Operations
© FORTINET
5. Click OK.


4. Click Desktop > Resources > FortiGate-Security > Certificate-Operations > local-certificate-
operations.conf, and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring SSL Deep Inspection on
Outbound Traffic
SSL deep inspection on outbound traffic allows FortiGate to inspect encrypted Internet-bound traffic, and apply
security profiles to that traffic to protect your network and end users. FortiGate employs a man-in-the-middle
(MITM) attack to inspect the traffic and apply security profiles such as antivirus, web filter, and application
control.
In this exercise, you will configure and enable SSL inspection on all outbound traffic.
Configure SSL Inspection
By default, FortiGate includes two security profiles for SSL/SSH inspection: certificate-inspection and deep-
inspection, which you cannot modify. Because this exercise involves configuring FortiGate for SSL full
inspection, you will configure a new SSL/SSH inspection profile for full SSL inspection.
To configure SSL inspection

2. Click Security Profiles > SSL/SSH Inspection.
3. In the upper-left corner, click Create New to create a new profile.
4. In the Name field, type Custom_Full_Inspection.

5. At the bottom of the page, in the Common Options section, enable Allow Invalid SSL Certificates.
6. Click OK.

DO Exercise
NOT1: Configuring
REPRINT SSL Deep Inspection on Outbound Traffic Enable SSL Inspection on a Firewall Policy
© FORTINET
Enable SSL Inspection on a Firewall Policy
You must enable SSL inspection on a firewall policy to start inspecting traffic. However, you cannot enable SSL
inspection by itself. The firewall policy must have one or more other security profiles enabled, because enabling
SSL inspection tells FortiGate only how to handle encrypted traffic—you still need to tell FortiGate which traffic to
inspect. For the purposes of this lab, you will enable the default web filter security profile.
To enable SSL inspection on a firewall policy

2. Double-click the Full_Access firewall policy to edit it.
3. In the Security Profiles section, enable the following security profiles:
Security Profile Value
Web Filter default
SSL Inspection Custom_Full_Inspection
This is the profile you created previously.
4. In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.
5. Click OK.
Install the Fortinet_CA_SSL Certificate
FortiGate includes an SSL certificate, called Fortinet_CA_SSL, that you can use for full SSL inspection. It is
signed by a certificate authority (CA) called FortiGate CA, which is not public. Because the CA is not public, your
browser will display a certificate warning each time a user connects to an HTTPS site. This is because the
browser is receiving certificates signed by FortiGate, which is a CA it does not know and trust. You can avoid this
warning by downloading the Fortinet_CA_SSL certificate and installing it on all the workstations as a public
authority.
In this procedure, you will first test access to an HTTPS site without the Fortinet_CA_SSL certificate installed.
Then, you will install the Fortinet_CA_SSL certificate and test again.
To test SSL deep inspection without a trusted CA

1. On the Local-Windows VM, open a new browser tab and go to an HTTPS site, such as:
https://salesforce.com
2. Click Advanced.
Notice the certificate warning. This appears because the browser is receiving certificates signed by the
FortiGate CA's private key, and the corresponding CA certificate is not in the Local-Windows certificate store.

DO Install
NOT REPRINT
the Fortinet_CA_SSL Certificate Exercise 1: Configuring SSL Deep Inspection on Outbound Traffic
© FORTINET
3. Leave the browser tab open and continue to the next procedure. Do not add the exception.
To install the Fortinet_CA_SSL certificate in the browser

1. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and click System > Certificates.
2. In the Local CA Certificates section, click Fortinet_CA_SSL, and then click Download.
3. Click Save File.

The certificate downloads to your Downloads folder.
4. In Firefox, in the upper-right corner of the window, click the Open menu icon, and then click Options.

DO Exercise
NOT1: Configuring
REPRINT SSL Deep Inspection on Outbound Traffic Install the Fortinet_CA_SSL Certificate
© FORTINET
5. Click Privacy & Security.
6. In the Certificates section, click View Certificates.
7. In the Certificate Manager window, click the Authorities tab, and then click Import.

DO Test
NOT REPRINT
Full SSL Inspection Exercise 1: Configuring SSL Deep Inspection on Outbound Traffic
© FORTINET
8. Click Downloads> Fortinet_CA_SSL.cer, and then click Open.

9. In the Downloading Certificate window, select Trust this CA to identify websites, and then click OK.
The Fortinet_CA_SSL certificate is added to the Firefox Authorities certificate store.
10. Click OK.

11. Restart Firefox.
Test Full SSL Inspection
Now that you have added the Fortinet_CA_SSL certificate to your browser, you will not receive any certificate
warnings when accessing a secure site.
The CA that signed this certificate is not public, but the browser is aware of it because you added it as a trusted
authority in the previous exercise.

DO Exercise
NOT1: Configuring
REPRINT SSL Deep Inspection on Outbound Traffic Test Full SSL Inspection
© FORTINET
To test SSL full inspection
1. Continuing on the Local-Windows VM, open a new browser and go to a secure site, such as:
https://salesforce.com
This time you are passed through to the site without any certificate warnings.
2. Close the browser.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring SSL Deep Inspection on Inbound
Traffic
You can use SSL deep inspection on inbound traffic to protect internal resources, such as web servers, that users
can access on the Internet. Implementing inbound SSL deep inspection allows you to apply antivirus, IPS, and
web application firewall (WAF) on encrypted traffic destined for your web servers, to protect them from malicious
files and traffic.
In this exercise, you will import an external web server certificate to Local-FortiGate, and then configure SSL
deep inspection to protect a web server with an antivirus profile.
Configure a Virtual IP and Firewall Policy
First, you will configure a virtual IP to map an external IP address to the web server's internal IP address. Then,
you will configure a firewall policy to allow access to the virtual IP.

l On the Local-FortiGate GUI, configure a new virtual IP to map the external IP, 10.200.1.200, to the
internal IP, 10.0.1.10, using port1 as the external interface. Use VIP-WEB-SERVER as the name of
your virtual IP.
l Create a new firewall policy to allow all inbound traffic to the virtual IP. Use Web_Server_Access as the
name of the firewall policy.
After you complete the challenge, see Install the Training CA Certificate on page 131.
To configure a virtual IP
2. Click Policy & Objects > Virtual IPs.
3. Click Create New, and select Virtual IP.
Field Value
Name VIP-WEB-SERVER
Interface port1

DO Exercise
NOT2: Configuring
REPRINT SSL Deep Inspection on Inbound Traffic Install the Training CA Certificate
© FORTINET
Field Value
External IP Address/Range 10.200.1.200
Mapped IP Address/Range 10.0.1.10
5. Click OK.
To configure a firewall policy

2. Click Create New, and then create a new firewall policy using the following settings:
Field Value
Name Web_Server_Access
Source all
Destination VIP-WEB-SERVER
Schedule always
Service ALL
Action ACCEPT
NAT <disable>
3. Click OK.
Install the Training CA Certificate
Now, you will verify access to the web server URL, and then install the Training CA certificate on Firefox to
eliminate certificate errors.

DO Install
NOT REPRINT
the Training CA Certificate Exercise 2: Configuring SSL Deep Inspection on Inbound Traffic
© FORTINET
l On the Remote-Windows VM, verify that you have access to the web server using
https://10.200.1.200.
l Using Firefox, review the web server certificate details and identify the certificate issuer.
l Install the Training CA certificate in Firefox's Authorities certificate store. The certificate file is located on
Desktop > Resources > FortiGate-Security > Training.crt.
l Make sure certificate-related warning messages no longer appear before proceeding to the next section.
After you complete the challenge, see Configure Inbound SSL Deep Inspection on page 136.
To verify access
1. On the virtual lab portal, click the Remote-Windows VM.
2. Open Firefox and access the web server using https://10.200.1.200.
A security warning opens.
3. Click Advanced, and then review the warning message.
4. Click Add Exception.

5. Click View.

DO Exercise
NOT2: Configuring
© FORTINET
6. In the Issued By section, review the information.
7. Click Close.
8. Click Cancel.
To install the Training CA certificate

1. Continuing on the Remote-Windows VM, in the upper-right corner of the Firefox browser, click the Open menu
icon, and then click Options.

DO Install
NOT REPRINT
the Training CA Certificate Exercise 2: Configuring SSL Deep Inspection on Inbound Traffic
© FORTINET
2. Click Privacy & Security.
3. In the Certificates section, click View Certificates.

DO Exercise
NOT2: Configuring
© FORTINET
4. In the Certificate Manager window, click the Authorities tab, and then click Import.
5. Click Desktop > Resources > FortiGate-Security > Certificate-Operations > Training.crt, and then click
Open.
The Downloading Certificate window opens.
6. Click Trust this CA to identify websites.
7. Click OK.
8. Click OK.
9. Restart Firefox.
10. Go to https://10.200.1.200, and then verify that the security warning is no longer displayed.

DO Configure
NOTInboundREPRINT
SSL Deep Inspection Exercise 2: Configuring SSL Deep Inspection on Inbound Traffic
© FORTINET
Configure Inbound SSL Deep Inspection
On Local-FortiGate, you will configure and enable SSL deep inspection on all inbound traffic destined to the web
server using the default certificate. You will also observe the changes to the end-user browser session on
Remote-Windows. Then, you will import the external web server certificate on Local-FortiGate, and use it to
perform SSL deep inspection to eliminate security errors.
To configure inbound SSL deep inspection

1. Return to the Local-Windows VM, and on the Local-Fortigate GUI, click Security Profiles > SSL/SSH
Inspection.
2. In the upper-left corner, click Create New to create a new profile.
Field Value
Name Inbound_SSL_Inspection
Enable SSL Inspection of Protecting SSL Server
Server Certificate Fortinet_SSL
4. Click OK.
6. Edit the Web_Server_Access policy.
7. In the Security Profiles section, enable the following security profiles:
Security Profile Value
AntiVirus default
SSL/SSH Inspection Inbound_SSL_Inspection
8. Click OK.

DO Exercise
NOT2: Configuring
REPRINT SSL Deep Inspection on Inbound Traffic Configure Inbound SSL Deep Inspection
© FORTINET
To verify inbound SSL deep inspection
1. Return to the Remote-Windows VM, and close any existing instances of Firefox.
2. Open Firefox again, and go to https://10.200.1.200.
A security warning opens. If you do not receive a security warning, refresh the page (F5). This forces Firefox
to update its local cache.
3. Click Advanced, and review the error message.

4. Click Add Exception.
5. Click View.
6. Review the certificate information.
Stop and think!

To inspect the encrypted traffic, Local-FortiGate must proxy the connection between Remote-Windows and
the web server. To do this, FortiGate must use its own certificate (FortiGate_SSL), which is not a trusted
certificate. It is also not issued for the hostname you are using in the URL to access the secure website.
While this does verify that Local-FortiGate is inspecting the encrypted traffic, you must perform a few more
configuration steps to make sure the correct certificate is being used, to eliminate any end-user-side
security errors.
7. Click Close.
8. Click Cancel.
To import the web server certificate and private key on Local-FortiGate

2. On the Local-FortiGate GUI, click System > Certificates.
3. Click Import, and then select Local Certificate.
4. In the Type drop-down list, select PKCS # 12 Certificate.
5. Click Upload.
6. Click Desktop > Resources > FortiGate-Security > Certificate-Operations ;> webserver.p12, and then click
Open.
The Certificate Name field is auto-populated from the certificate file name.

DO Configure
NOTInboundREPRINT
SSL Deep Inspection Exercise 2: Configuring SSL Deep Inspection on Inbound Traffic
© FORTINET
PKCS#12 (.p12 file extension) is an archive file format used to bundle a certificate
with its private key. It is usually protected using a password.
The webserver.p12 file contains the web server's certificate and private key.
7. In the Password field, enter fortinet.

8. Click OK.
The certificate and key are imported.
To modify the inbound SSL inspection profile

1. Continuing on the Local-FortiGate GUI, click Security Profiles > SSL/SSH Inspection.
2. In the upper-right corner, in the profile drop-down list, select Inbound_SSL_Inspection.
3. In the Server Certificate drop-down list, select webserver.
4. Click Apply.
To verify the SSL inspection profile change

1. Return to the Remote-Windows VM, and close any existing instances of Firefox.
2. Open Firefox again, and go to https://10.200.1.200.
Verify that there are no more security errors. If you still receive errors, refresh the page (F5). This forces
Firefox to update its local cache.

DO NOT REPRINT
© FORTINET
Lab 8: Web Filtering
In this lab, you will configure one of the most used security profiles on FortiGate: web filter. This includes
configuring a FortiGuard category-based filter, applying the web filter profile on a firewall policy, testing your
configuration, and basic troubleshooting.
You will also apply overrides to FortiGuard website categories and perform overrides on the web filtering profile.
The web filtering overrides allow you to execute different actions, rather than the configured actions on the web
filter security profile.
Objectives
l Configure web filtering on FortiGate
l Apply the FortiGuard category-based option for web filtering
l Troubleshoot the web filter
l Read and interpret web filter log entries
l Configure web rating overrides
l Configure web profile overrides
Time to Complete
Prerequisites
Before beginning this lab, you must clear your web browser history and restore a configuration file to the Local-
FortiGate.
To clear the web browser history

1. On the Local-Windows VM, open the browser and click the menu icon in the upper-right corner.
2. Click Options > Privacy & Security.

3. Scroll to History, click Clear History..., and ensure the time range to clear is set to Everything.
4. Click Clear Now.

DO NOT REPRINT Lab 8: Web Filtering
© FORTINET
To restore the FortiGate configuration file
2. In the upper-right corner of the screen, click admin, and then select Configuration > Restore.
3. Select Restore from Local PC, and then click Upload.

4. Browse to Desktop > Resources > FortiGate-Security > Web-Filtering > local-web-filtering.conf,
and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring FortiGuard Web Filtering
To configure FortiGate for web filtering based on FortiGuard categories, you must make sure that FortiGate has
a valid FortiGuard security subscription license. The license provides the web filtering capabilities necessary to
protect against inappropriate websites.
Then, you must configure a category-based web filter security profile on FortiGate and apply the security profile
on a firewall policy to inspect the HTTP traffic.
Finally, you can test different actions taken by FortiGate according to the website rating.
Review the FortiGate Settings
You will review the inspection mode and the license status according to the uploaded settings. You will also list
the FortiGuard distribution servers (FDS) that your FortiGate will use to send the web filtering requests.
To review the restored settings on FortiGate

2. On the Dashboard, locate the Licenses widget and confirm that the FortiGuard Web Filtering service is
licensed and active.
A green check mark should appear beside Web Filtering.
Because of the reboot following the restoration of the configuration file, the web filter
license status may show "Unavailable". In this case, navigate to System >
FortiGuard, click Check Again to force an update, and OK to confirm.

DO Determine
NOT Web REPRINT
Filter Categories Exercise 1: Configuring FortiGuard Web Filtering
© FORTINET
4. Double click the Full_Access policy to edit.
5. Verify the Inspection Mode setting.
Notice that the default inspection mode is set to Flow-based.
6. Select Proxy-based under Inspection Mode.

7. Click OK.
9. Double click the Full_Access policy to edit. Verify that Inspection Mode is now set to Proxy-based.
Determine Web Filter Categories
In order to configure web filter categories, you must first identify how specific websites are categorized by the
FortiGuard service.
To determine web filter categories

1. Continuing on the Local-Windows VM, open a new browser tab and go to
https://www.fortiguard.com/webfilter.
2. Use the Web Filter Lookup tool and search for the following URL:
www.youtube.com

DO Exercise
NOT1: Configuring
REPRINT FortiGuard Web Filtering Configure a FortiGuard Category-Based Web Filter
© FORTINET
This is one of the websites you will use later to test your web filter.
As you can see, YouTube is listed in the Steaming Media and Download category.
3. Use the Web Filter Lookup tool again to find the web filter category for the following websites:
l www.skype.com
l www.ask.com
l http://www.bing.com/
You will test your web filter using these websites as well.
This table shows the category assigned to each URL, as well as the action you will configure your FortiGate
to take based on your web filter security profile:
Website Category Action
http://www.youtube.com/ Streaming Media and Download Block
http://www.skype.com/ Internet Telephony Warning
http://www.bing.com/ Search Engines and Portals Allow
http://www.ask.com Search Engines and Portals Allow
Configure a FortiGuard Category-Based Web Filter
You will review the default web filtering profile and configure the FortiGuard category-based filter.
To configure the web filter security profile

1. Return to your browser tab where you are logged into the Local-FortiGate GUI, and click Security Profiles >
Web Filter.

DO Configure
NOTaREPRINT
FortiGuard Category-Based Web Filter Exercise 1: Configuring FortiGuard Web Filtering
© FORTINET
2. Double click the default web filter profile to edit it.
3. Verify that FortiGuard category based filter is enabled.
4. Review the default actions for each category.
Category Action
Local Categories Allow
Potentially Liable Block: Extremist Group
Allow: all other sub-categories
Tip: Expand Potentially Liable to view the subcategories
Adult/Mature Content Block

DO Exercise
NOT1: Configuring
REPRINT FortiGuard Web Filtering Configure a FortiGuard Category-Based Web Filter
© FORTINET
Category Action
Bandwidth Consuming Allow
Security Risk Block
General Interest - Personal Allow
General Interest - Business Allow
Unrated Block
5. Expand Bandwidth Consuming to view the subcategories.
6. Right-click Streaming Media and Download and select Block.

DO Apply
NOT REPRINT
the Web Filter Profile to a Firewall Policy Exercise 1: Configuring FortiGuard Web Filtering
© FORTINET
7. Right-click Internet Telephony, and select Warning.
The Edit Filter dialog box opens, allowing you to modify the warning interval.
8. Keep the default setting of 5 minutes and click OK.

9. Click OK.
Apply the Web Filter Profile to a Firewall Policy
Now that you have configured the web filter profile, you must apply this security profile to a firewall policy, in order
to start inspecting web traffic.
You will also enable the logs to store and analyze the security events generated by the web traffic.

On the Local-FortiGate GUI (10.0.1.254), apply the web filter profile to the existing Full_Access
firewall policy. Make sure that logging is also enabled and set to Security Events.
After you complete the challenge, see Test the Web Filter on page 147.
To apply a security profile on a firewall policy

2. Double-click the Full_Access policy to edit it.
3. In the Security Profiles section, enable Web Filter, and from the drop-down menu select default.

DO Exercise
NOT1: Configuring
REPRINT FortiGuard Web Filtering Test the Web Filter
© FORTINET
4. Under Log Allowed Traffic, make sure Security Events is selected.

5. Keep all other default settings and click OK.
Test the Web Filter
For the purposes of this lab, you will test the web filter security profile you configured for each category.
To test the web filter

session.
3. Enter the following command to verify the web filter status:
get webfilter status
The get webfilter status and diagnose debug rating commands show the list of FortiGuard
FDS that your FortiGate uses to send web filtering requests. In normal operations, FortiGate sends the rating
requests only to the server at the top of the list. Each server is probed for round-trip time (RTT) every 2
minutes.
Stop and think!

Why does only one IP address from your network appear in the server list?
Your lab environment uses a FortiManager at 10.0.1.241, which has been configured as a local FDS
server. It contains a local copy of the FDS web rating database.
FortiGate sends the rating requests to FortiManager instead of the public FDS servers. For this reason, the
output of the above command lists only the FortiManager IP address.
4. Open a new web browser tab and go to http://youtube.com.

A warning displays, according to the predefined action for this website category.

DO Create
NOT REPRINT
a Web Rating Override Exercise 1: Configuring FortiGuard Web Filtering
© FORTINET
5. Open a new web browser tab and go to http://www.skype.com/.

A warning displays, according to the predefined action for this website category.
6. Click Proceed to accept the warning and access the website.

7. Open a new web browser tab and go to http://www.bing.com/.
This website appears because it belongs to the Search Engines and Portals category, which is set to
Allow.
Create a Web Rating Override
In this procedure you will override the category for www.bing.com.
To create a web rating override

1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Security Profiles >
Web Rating Overrides.
2. Click Create New, and then configure the following settings:

DO Exercise
NOT1: Configuring
REPRINT FortiGuard Web Filtering Test the Web Rating Override
© FORTINET
Field Value
URL www.bing.com
Category Security Risk
Sub-Category Malicious Websites
3. Click OK.
Test the Web Rating Override
You will test the web rating override you created in the previous procedure.
To test the Web Rating Override

1. Continuing on the Local-Windows VM, open a new browser tab, and try again to access the website
www.bing.com.
The website is blocked and it matches a local rating instead of a FortiGuard rating.

DO NOT REPRINT
© FORTINET
Exercise 2: Setting Up Web Filtering Authentication
In this exercise, you will configure and test the authenticate action for web filtering categories.
Set Up the Authenticate Action
First, you will override the category for www.bing.com and change it to Proxy Avoidance. Then, you will set
the action for this FortiGuard category to Authenticate.
To override the category

2. Click Security Profiles > Web Rating Overrides.
There is an entry for www.bing.com. The override category is set to Malicious Websites, which you
should have created in the previous exercises.
3. Double-click www.bing.com to verify the rating override and confirm the category and subcategory:
Field Value
Category Security Risk
Sub-Category Malicious Websites
By default, the Security Risk category is set to Block on your FortiGate.
4. Click Cancel.
To set up the authenticate action

1. Continuing on the Local-FortiGate GUI, click Security Profiles > Web Filter.

DO Exercise
NOT2: Setting
REPRINT
Up Web Filtering Authentication Define Users and Groups
© FORTINET
3. Under FortiGuard category based filter, expand Security Risk, right-click Malicious Websites, and then
select Authenticate.
The Edit Filter widget appears.
4. Use the following settings:
Field Value
Warning Interval 5 minutes
Selected User Groups Override_Permissions
5. Click OK.
6. Click OK.
For the purpose of this lab, Override_Permissions is a predefined user group. To

review the user groups, click User & Devices > User Groups.
Define Users and Groups
You will define a user in order to test the authenticate action.
To create a user
1. Continuing on the Local-FortiGate GUI, click User & Device > User Definition.
3. Select Local User as the User Type.
4. Click Next, and then configure the following settings:

DO Test
NOT REPRINT
the Authenticate Action Exercise 2: Setting Up Web Filtering Authentication
© FORTINET
Field Value
User Name student
Password fortinet
5. Click Next.
6. Click Next.
7. Enable User Group, and then, in the drop-down list, select Override_Permissions.
8. Click Submit.
The student user is created.
Test the Authenticate Action
In this section, you will test access to a website using the authenticate action, and then analyze the logs made by
the security events.
To test the web rating override

1. Continuing in the Local-Windows VM, open a new browser tab, and try to access http://www.bing.com.
A warning displays. Note that it is a different message from the one that appeared before.
2. Click Proceed.
You might receive a certificate warning at this stage. This is normal and is a direct
result of using a self-signed certificate. Accept the warning message to proceed with
the remainder of the procedure (click Advanced, click Add Exception, and then click
Confirm Security Exception).

DO Exercise
NOT2: Setting
REPRINT
Up Web Filtering Authentication Test the Authenticate Action
© FORTINET
3. Click Continue.
4. Enter the following credentials:
Field Value
Username student
Password fortinet
This website now displays correctly.
To review the web filter logs for web rating overrides

1. Return to your browser tab where you are logged into the Local-FortiGate GUI, and click Log & Report > Web
Filter.
The Web Filter logs section won't display if there are no web filtering logs. FortiGate
displays the section after creating logs. If th eWeb Filter menu does not appear in the
GUI, refresh your browser or log out of the Local-FortiGate GUI and log back in.
According to the logs, http://www.bing.com was initially blocked, but after clicking Proceed and
authenticating, the logs show a different action: passthrough.
Remember, http://www.bing.com is rated by FortiGuard as belonging to the Search Engines and

Portals category, where the action, by default, is set to Allow.
However, for this website, you changed the category to Security Risk.

DO NOT REPRINT
© FORTINET
Exercise 3: Configuring and Testing Web Profile Overrides
As you have tested the web rating overrides, you will now test web profile overrides.
The web profile overrides feature changes the rules applied to inspected traffic. It authorizes some users, user
groups, or predefined source IPs, to use a different web filter profile.
Configure Web Profile Overrides
In this procedure, you will allow users to override blocked categories. Those users must authenticate in order to
apply a different web filter profile.
To configure a web profile override

2. Click Security Profiles > Web Filter.
4. Enable Allow users to override blocked categories, and then enter the following values:
Field Value
Group that can override Override_Permissions
Profile Name monitor-all
Switch applies to IP
Switch duration Predefined 0 Day(s) | 0 Hour(s) | 15 Minute(s)
Test the Web Profile Override
Finally, you will test the global access for a blocked category, and authenticate to apply a new web filter profile.
You will also review the web filter logs to verify how actions change after the new web profile is applied.
To test the web profile override

1. Continuing on the Local-Windows VM, open a new browser tab, and try to access www.youtube.com.
A warning displays according to the action for this website category. However, this warning is different from
the one that appeared in To test the web filter on page 147. This warning includes an override link at the
bottom.

DO Exercise
NOT3: Configuring
REPRINT and Testing Web Profile Overrides Test the Web Profile Override
© FORTINET
2. Click Override.
You might receive a certificate warning at this stage. This is normal and is a direct
result of using a self-signed certificate. Accept the warning message to proceed with
the remainder of the procedure (click Advanced, click Add Exception, and then click
Confirm Security Exception).
A block override message appears:
3. Enter the following values:
Field Value
Username student
Password fortinet

DO Test
NOT REPRINT
the Web Profile Override Exercise 3: Configuring and Testing Web Profile Overrides
© FORTINET
4. Click Continue.
FortiGate overrides the default profile and allows you to access the website.
To review the web filter logs for web profile overrides

1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Log & Report > Web
Filter.
2. Compare the current passthrough entries with the older blocked logs.
3. Select a blocked entry and in the upper-right corner of the screen, and click Details.
4. Now, select a passthrough entry and click Details.
Notice that the web profile used is different.

DO NOT REPRINT
© FORTINET
Lab 9: Application Control
In this lab, you will configure and use the application control in policy-based mode, to apply an appropriate action
to specified application traffic. You will the view the generated logs.
Objectives
l Configure and test application control in NGFW policy-mode
l Read and understand application control logs
Time to Complete
Prerequisites

2. In the upper-right corner of the screen, click admin,and then click Configuration > Restore.

4. Click Desktop > Resources > FGT-Security > Application Control > Local-App-Control-
Profile.conf, and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Controlling Application Traffic
In this exercise, you will create a profile-based application control profile in flow-based inspection mode. Flow-
based and proxy-based inspection modes share identical configuration steps for application control. The
FortiGate matches the traffic in this order:
1. Application and filter overrides

2. Categories
You will also view the application control logs and applications from FortiView to confirm that the applications are
logged correctly.
Configure Filter Overrides
The configuration file for this exercise already has the application control categories set to monitor (except
Unknown Applications). This allows the applications to pass, but also records a log message.
In this exercise, you will configure filter overrides.
To configure filter overrides

2. Click Security Profiles > Application Control.
3. Double click the default application control profile and review the sensor.

DO Exercise
NOT1: Controlling
REPRINT Application Traffic Configure Filter Overrides
© FORTINET
There are 93 cloud-based application signatures available in the application control
signatures database that require deep inspection. The number beside the cloud icon in
each category represents the number of cloud application signatures in a specific
category. The number of cloud applications will keep increasing as new applications
are added to this list.
4. In the Application and Filter Overrides section, click Create New to add a filter override.
5. On the Add New Override page, in the Type field, select Filter.
6. Click + to add a filter.
7. Under Behavior, click Excessive-Bandwidth.
The Excessive-Bandwidth setting blocks many applications that are known to be

bandwidth intensive. Applications can belong to different categories, but they may be
part of this behavior filter if they are bandwidth intensive.
8. Click Ok.
Your configuration should look similar to below. The action for this should show as Block.
9. Click Apply.

DO Apply
NOT REPRINT
the Application Control Profile to the Firewall Policy Exercise 1: Controlling Application Traffic
© FORTINET
Apply the Application Control Profile to the Firewall Policy
Now that you have configured the application control profile, you will apply it to the firewall policy.

On the Local-FortiGate GUI (10.0.1.254), edit the existing Application_Control firewall policy and do
the following:
l Enable the default application control profile.

l Enable deep-inspection in the SSL/SSH inspection profile.
After you complete the challenge, see Test the Application Control Profile on page 160.
To apply an application control profile to a firewall policy

2. Right click the ID column of the Application_Control firewall policy and click Edit.
3. In the Security Profiles section, enable Application Control and select default in the drop-down menu.
4. Select deep-inspection from the drop-down menu for the SSL Inspection profile.
Test the Application Control Profile
Now that your configuration is complete, you will test the application control profile by going to the application
that you blocked in the application overrides configuration.

DO Exercise
NOT1: Controlling
REPRINT Application Traffic Configure Application Overrides
© FORTINET
To test the application control profile
1. Continuing on the Local-Windows VM, open a new web browser tab and go to the following URL:
http://dailymotion.com.
You should observe that you cannot connect to this site. It times out.
2. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and click Security Profiles >
Application Control.
3. Edit the default application sensor again.
4. In the Options section at the bottom of the page, enable Replacement Messages for HTTP-based
Applications.
5. Click Apply.
6. Open a new web browser tab and go to the following URL: http://dailymotion.com.
FortiGate should display a block message. It can take up to 2 minutes for the block page to be displayed
because of the change in configuration.
Configure Application Overrides
In this exercise, you will configure application overrides. The application overrides will take precedence over filter
overrides and application categories.

On the Local-FortiGate GUI (10.0.1.254 | admin <blank password>), complete the following:
l Modify the default application control profile.

l Add Application Overridesfor the Dailymontionapplication signature and set the action to Allow.
After you complete the challenge, see Test Application Overrides on page 162.

DO Test
NOT REPRINT
Application Overrides Exercise 1: Controlling Application Traffic
© FORTINET
To configure application overrides
1. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and click Security Profiles >
2. Edit the default application sensor again.
3. In the Application and Filter Overrides section, click Create New.
4. On the Add New Override page, in the Type field, select Application.
5. In the Action field, select Allow.
6. Click + to add an application.
7. Type Dailymotion in the search field.
A signature is returned.
8. Select Dailymotion and click OK at the bottom.

9. Drag the Dailymotion application filter and place it above the Excessive-Bandwidth filter.
Your configuration should look like the following:
10. At the bottom of the Edit Application Sensor page, click Apply.
This application control profile is already applied to a firewall policy that is scanning all
outbound traffic. You do not need to reapply the application control profile for the
changes to take affect.
Test Application Overrides
Now that your configuration is complete, you will test the application control profile by going to the application
that you allowed.

DO Exercise
NOT1: Controlling
REPRINT Application Traffic View Logs
© FORTINET
To test the application control profile
http://dailymotion.com.
FortiGate allows the website to load properly.
View Logs
Now you will view the logs for the test you just performed.
To view logs
1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Log & Report >
The Application Control logs section will not display if there are no application
control logs. FortiGate will show it after creating logs. If the Application Control
menu item does not display in the GUI, refresh the browser or log out of the Local-
FortiGate GUI and log in again.
2. Use the Application Name log filter and search for Dailymotion.
You will see log messages with the action set to block.
3. Double-click on a log to view more details.

The details include application sensor name, application name, category, policy ID, and the action taken by
FortiGate.
4. Click Log & Report > Forward Traffic and search and view the log information for Dailymotion.
You will see more details about the log, including translated IP, bytes sent, bytes received, action, and
application.

DO NOT REPRINT
© FORTINET
Exercise 2: Controlling Application Bandwidth Usage
You can limit the bandwidth consumption of an application category, or of a specific application, by configuring a
traffic shaping policy. You must ensure that the matching criteria aligns with the firewall policy or policies to which
you want to apply shaping.
In this exercise, you will configure and apply traffic shaping to an application, to limit its bandwidth consumption.
Modify Application Overrides Action
You will be modifying the application override for the Dailymotion application to change the action from Allow
to Monitor. Then, you will apply traffic shaping in the next procedure.
To modify the application overrides action

2. Click Security Profiles > Application Control.
3. Edit the application sensor named default.
4. In the Application and Filter Overrides section, edit Dailymotion filter and set Action to Monitor.
5. Click OK.This changes the action for Dailymotion from Allow to Monitor.
6. Click Apply.
For the purposes of this lab, setting the action to Monitor ensures all application
control events are logged.
Configure a Traffic Shaping Policy
You will be configuring a traffic shaping policy using the preconfigured traffic shaper to limit the bandwidth use of
Dailymotion.

DO Exercise
NOT2: Controlling
REPRINT Application Bandwidth Usage Configure a Traffic Shaping Policy
© FORTINET
On the Local-FortiGate GUI (10.0.1.254 | admin <blank password>), complete the following:
l Create a traffic shaping policy for the Dailymotion application only from port1.
l Apply DAILYMOTION_Shaper as Reverse Shaper.
After you complete the challenge, see Test Traffic Shaping on page 166.
To configure a Traffic Shaping Policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Traffic Shapers.
2. For the DAILYMOTION_SHAPER , examine the Max Bandwidth column.
You will notice that maximum amount of allowed bandwidth is very low.
3. Click Policy & Objects > Traffic Shaping Policy, and then click Create New.
Field Value
Name Application_Traffic_Shaper_Policy
Source all
Destination all
Service ALL
Application Dailymotion
Tip: Type Dailymotion in the search box in the right pane to locate it
easily.
This is FortiGate egress interface.
Reverse Shaper <enable> and apply DAILYMOTION_SHAPER

DO Test
NOT Traffic REPRINT
Shaping Exercise 2: Controlling Application Bandwidth Usage
© FORTINET
Your configuration should look like this:
5. Click OK.
The Shared Shaper option limits the bandwidth from ingress-to-egress. It is useful
for limiting uploading bandwidth. The Reverse Shaper limits the bandwidth from
egress-to-ingress. It is useful for limiting downloading or streaming bandwidth.
You must ensure that the matching criteria aligns with the firewall policy or policies to
which you want to apply traffic shaping.
Test Traffic Shaping
Now that your configuration is complete, you will test traffic shaping by playing a video on Dailymotion.
To test traffic shaping

http://dailymotion.com
2. Try to play any video.

You will notice that access to this site is slow and the video is taking a long time to buffer and play.

DO Exercise
NOT2: Controlling
REPRINT Application Bandwidth Usage Test Traffic Shaping
© FORTINET
If your classroom is using a virtual lab, the underlying hardware is shared, so the
amount of available bandwidth for Internet access varies according to other
simultaneous use. The traffic shaper is set to a very low value in order to make sure
that the difference in behavior is easily noticeable. In real networks, this setting would
be greater.
3. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Policy & Objects >
Traffic Shapers.
4. Review the Bandwidth Utilization and Dropped Bytes columns for the DAILYMOTION_SHAPER .
You might need to refresh the FortiGate GUI to view the statistics on Traffic Shapers.
You will notice the bandwidth used by the Dailymotion application and FortiGate is dropping the packets
that are in excess of the configured bandwidth in the traffic shaper.
Monitor statistics are current as of the time that you requested the GUI page, so make
sure to view them while a video is downloading. Also, refresh the page few times to
get the results.
5. Click Log & Report > Forward Traffic and click Configure Table. Scroll down to Shaping Policy ID and click
to enable it.
See below image for details:

DO Test
NOT Traffic REPRINT
Shaping Exercise 2: Controlling Application Bandwidth Usage
© FORTINET
6. Review the logs to display basic information regarding the Traffic Shaper policy.

DO NOT REPRINT
© FORTINET
Lab 10: Antivirus
In this lab, you will configure, use, and monitor antivirus scanning on Local-FortiGate in both flow-based and
proxy-based inspection modes.
Objectives
l Configure antivirus scanning in both flow-based and proxy inspection modes
l Understand FortiGate antivirus scanning behavior
l Scan multiple protocols
l Read and understand antivirus logs
Time to Complete
Prerequisites


4. Click Desktop > Resources > FortiGate-Security > Antivirus > local-AV-flow-based.conf, and then
click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Using Antivirus Scanning in Flow-Based
Inspection Mode
There are two antivirus scanning modes in flow-based inspection mode:
l Quick scan uses a compact antivirus database and performs faster scanning because it doesn’t buffer the file in
memory.
l Full scan uses the full antivirus database. It buffers the file locally, but transmits it simultaneously to the end client.
Everything is transmitted except the last packet. The last packet is delayed, and the whole file is sent to the
antivirus engine for scanning.
In this exercise, you will use antivirus in flow-based inspection mode to understand how FortiGate performs
antivirus scanning. You will use full-scan mode with and without deep inspection. You will observe the behavior of
antivirus scanning, with and without deep inspection, to understand the importance of performing full-content
inspection.
Configure the Antivirus Profile in Flow-Based Inspection Mode
By default, FortiGate inspection mode is set to flow-based, so all the security profiles will also be set to flow-
based inspection mode. In this procedure, you will verify the antivirus profile settings and apply the antivirus
profile to a firewall policy.
To set the current FortiGate inspection mode to flow based

2. Click System > Settings.
3. At the bottom of the page, verify that NGFW Mode is set to Profile-based.
6. Enter the following commands to set the firewall policy to flow-based.

edit 1
set utm-status enable
set inspection-mode flow
next
end

DO Exercise
NOT1: Using
REPRINT
Antivirus Scanning in Flow-Based Inspection Mode Review the Flow-Based Antivirus Profile
© FORTINET
Review the Flow-Based Antivirus Profile
Now that you've verified that the inspection mode is set to flow-based, you will review the antivirus profile to view
the settings.
To review the flow-based antivirus profile

1. Continuing on the Local-FortiGate GUI, click Security Profiles > AntiVirus.
2. Review the default antivirus profile.
Because the inspection mode is set to flow-based, by default, all the security profiles
will be set to flow-based as well.
Enable the Antivirus Profile on a Firewall Policy
Now that you have reviewed the antivirus profile, you must enable the antivirus profile on your firewall policy.
After you enable the antivirus profile on a firewall policy, it can scan for viruses and generate logs (based on
configured log settings).

On the Local-FortiGate GUI (10.0.1.254),complete the following:
l Edit the Full_Access firewall policy and enable the default antivirus profile.
l Use the certificate-inspection profile for SSL inspection.
After you complete the challenge, see Test the Antivirus Configuration on page 172.
To enable the antivirus profile on a firewall policy

3. In the Security Profiles section, enable AntiVirus, and select default from the drop-down menu.
4. In the SSL/SSH Inspection drop-down menu, keep the default certificate-inspection profile.
When selecting an antivirus profile, SSL/SSH Inspection is enabled by default. You

can't disable it, but you can select any preconfigured SSL/SSH inspection profile in the
associated drop-down menu. You will use the certificate-inspection profile for this
section of the lab.
5. Keep the default values for the remaining settings, and then click OK to save the changes.

DO Test
NOT REPRINT
the Antivirus Configuration Exercise 1: Using Antivirus Scanning in Flow-Based Inspection Mode
© FORTINET
Test the Antivirus Configuration
In this procedure, you will download the EICAR test file to your Local-Windows VM. The EICAR test file is an
industry-standard virus used to test antivirus detection without causing damage. The file contains the following
characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
To test the antivirus configuration

1. Continuing on the Local-Windows VM, open a new web browser tab and access the following website:
http://eicar.org
2. In the upper-right corner of the EICAR webpage, click DOWNLOAD ANTI MALWARE TESTFILE.
3. Click the Download link on the left.
4. In the Download area using the standard protocol http section, download any EICAR sample file.
FortiGate should block the download attempt and insert a replacement message similar to the following
example:
FortiGate shows the HTTP virus message when it blocks or quarantines infected files.
Test an Alternate Download Method
In this section, you will test the flow-based antivirus configuration using the Save Link As method to download
the EICAR text file.

1. Continuing on the Local-Windows VM, open a new web browser tab and go to the following website:

DO Exercise
NOT1: Using
REPRINT
Antivirus Scanning in Flow-Based Inspection Mode View the Antivirus Logs
© FORTINET
2. On the EICAR website, in the upper-right corner of the page, click DOWNLOAD ANTI MALWARE TESTFILE.
3. Click the Download link on the left.
4. In the Download area using the standard protocol http section, right-click eicar.com.txt and select Save
Link As.
5. Change the download location to Desktop, and then click Save.

You should see the file you downloaded on the desktop. Why was the download allowed?
6. On your desktop, right-click the eicar.com downloaded file, and click Edit with Notepad++ to open the file you
downloaded.
Is the content of the file what it's supposed to be?
Stop and think!

Remember, you are using flow-based inspection mode. Using this method, the client sends a request and
starts receiving the packets immediately, but FortiGate is also buffering those packets at the same time.
When the last packet arrives, FortiGate buffers it and puts it on hold. Then, it sends the whole buffered file
to the IPS engine where rule match is checked and passed to the antivirus engine for scanning. If the
antivirus scan does not detect any viruses, and the result comes back clean, the last buffered packet is
regenerated and delivered to the client.
However, if a virus is found, the last packet is dropped. Even if the client has received most of the file, the
file will be truncated and the client will be not able to open a truncated file. FortiGate injects the block
message into the partially download file. The client can use Notepad to open and view the file.
7. Delete the downloaded eicar.com file from the Desktop.
View the Antivirus Logs
The purpose of logs is to help you monitor your network traffic, locate problems, establish baselines, and make
adjustments to network security, if necessary.

DO View
NOT REPRINT
the Antivirus Logs Exercise 1: Using Antivirus Scanning in Flow-Based Inspection Mode
© FORTINET
To view the antivirus logs
1. Return to your browser where you are logged in to the Local-FortiGate GUI, and click Log & Report > Forward
Traffic. You may need to remove any log filters you have set.
2. Locate the antivirus log message and double-click it.
The Details tab shows forward traffic log information along with the action taken.
3. Select the Security tab to view security logs, which provide information more specific to security events, such as
file name, virus or botnet, and reference.
4. To view antivirus security logs, click Log & Report > AntiVirus.
The AntiVirus section won't display if there are no antivirus logs. FortiGate displays
the AntiVirus section after creating logs. If the AntiVirus menu item does not
display in the GUI, refresh your browser or log out of the FortiGate GUI and log back in
again.
5. Click Dashboard > Status.

6. Scroll to the bottom of the page, and in the bottom right, click the settings icon.
7. Click Add Widget and add the Advanced Threat Protection Statistics widget to view the summary statistics
of the antivirus activity.
8. Click Close.
The Advanced Threat Protection Statistics widget provides statistics about the number of files submitted
and the results of those scans.

DO Exercise
NOT1: Using
REPRINT
Antivirus Scanning in Flow-Based Inspection Mode Enable SSL Inspection on a Firewall Policy
© FORTINET
The Advance Threat Protection Statistics widget displays malware statistics

stored on the device by the antivirus process. Statistics on the widget can be cleared
by formatting the log disk.
Enable SSL Inspection on a Firewall Policy
So far, you have tested unencrypted traffic for antivirus scanning. In order for FortiGate to inspect the encrypted
traffic, you must enable deep inspection on the firewall policy. After you enable this feature, FortiGate will filter
for traffic that is using the SSL encrypted protocol, which is very similar to a man-in-the-middle (MITM) attack.

l On Local-Windows, test the configuration by downloading the eicar.com file using HTTPS without
enabling the deep-inspectionprofile on the Full Access firewall policy.
l Configure Local-FortiGate to scan secure protocols by enabling SSH/SSL Inspection using the deep-
inspection profile on the Full Access firewall policy.
l Test the configuration by downloading the eicar.com file using HTTPS.
To test antivirus scanning without SSL Inspection enabled on the firewall policy
1. Continuing on the Local-Windows VM, open a web browser and go to the following website:
2. On the EICAR webpage, click DOWNLOAD ANTI MALWARE TESTFILE.

3. Click the Download link that appears on the left side.
4. In the Download area using the secure, SSL enabled protocol https section, download eicar.com sample
file.

DO Enable
NOT SSLREPRINT
Inspection on a Firewall Policy Exercise 1: Using Antivirus Scanning in Flow-Based Inspection Mode
© FORTINET
FortiGate should not block the file, because you have not enabled full SSL inspection.
To enable and test the SSL inspection profile on a firewall policy

1. Return to your browser tab where you are logged in to the Local-FortiGate GUI, and click Policy& Objects >
IPv4Policy.
2. Right-click the ID column for the Full Access firewall policy and click Edit.
3. In the Security Profiles section, in the SSL/SSH Inspection drop-down menu, select deep-inspection.
4. Keep the remaining default settings, and then click OK to save the changes.
5. On the EICAR web page, in the Download area using the secure, SSL enabled protocol httpssection, try to
download the same eicar.com file again.
If the FortiGate self-signed, full-inspection certificate is not installed on the browser,

end users will see a certificate warning message. In this environment, the FortiGate
self-signed SSL inspection certificate is installed on the browser.
FortiGate should block the download and replace it with a message. If it doesn't, you may need to clear your
cache. In Firefox, Click Options > Privacy & Security.Scroll to History and click Clear History..., and
ensure the time range to clear is set to Everything. Click Clear Now.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Proxy-Based Antivirus Scanning
In proxy-based inspection mode, each protocol's proxy buffers the entire file (or waits for oversize limit) and scans
it. The client must wait for the scan to finish.
In this exercise, you will configure antivirus scanning in proxy-based inspection mode, including associated
security features, such as proxy options with deep-inspection. Then, you will apply antivirus scanning to the
firewall policy. Finally, you will view the logs and summary information for the antivirus activity.
Change the FortiGate Inspection Mode
By default, flow-based inspection mode is enabled on FortiGate firewall policy. You will change the inspection
mode from flow-based to proxy-based.
To change the FortiGate inspection mode

3. Enter the following commands to change from flow-based to proxy inspection mode:
edit 1
set utm-status enable
set inspection-mode proxy
next
end
4. Return to your browser where you are logged into the Local-FortiGate GUI and refresh the browser. (Alternatively,
you can log out of the Local-FortiGate GUI and log back in.)
6. Double click the Full_Access policy to edit.
7. Verify that the Inspection Mode is Proxy-based.
Changing from one inspection mode to another will result in the conversion of profiles
and removal or addition of security features, based on the selected mode.
Review the Antivirus Profile in Proxy-Based Inspection Mode
Now that you've changed the inspection mode to proxy-based, you will view the antivirus profile to see the
changes.

DO Enable
NOT REPRINT
the Antivirus Profile on a Firewall Policy Exercise 2: Configuring Proxy-Based Antivirus Scanning
© FORTINET
To review the antivirus profile in proxy-based inspection mode
1. Click Security Profiles > AntiVirus, and select the default antivirus profile.
2. Verify that Detect Viruses is set to Block and, in the Inspected Protocols section, make sure the FTP switch is
turned on.
This profile defines the behavior for virus scanning on the traffic that matches policies using that profile.
Enable the Antivirus Profile on a Firewall Policy
Now that the antivirus profile is configured, you must enable the antivirus profile on the firewall policy. After you
enable the antivirus profile on a firewall policy, it can scan for viruses and generate logs (based on configured log
settings).
To enable an antivirus profile on a firewall policy

3. In the Security Profiles section, verify that the default profile for AntiVirus is applied.

DO Exercise
NOT2: Configuring
REPRINT Proxy-Based Antivirus Scanning Test the Proxy-Based Antivirus Profile
© FORTINET
When selecting an antivirus profile, Protocol Options and SSL/SSH Inspection are
automatically enabled. You can't disable Protocol Options or SSL/SSH
Inspection, but you can select any preconfigured profiles in the Protocol Options
and SSL/SSH Inspection drop-down menus.
4. Beside the Protocol Options profile, click the pencil icon to view the profile on the firewall policy tab.
Alternatively, click Policy & Objects > Protocol Options to see the default proxy options profile selected
in the firewall policy.
This profile specifies how FortiGate’s proxies pick up protocols. For example, the FTP listening port is set to
port 21.
Test the Proxy-Based Antivirus Profile
Now, you will test the proxy-based antivirus profile using FTP file transfer.

l On the Local-Windows VM desktop, use the FileZilla FTP client to connect to the Linux preconfigured
profile under Site Manager.
l Leave the username and password fields empty.
l Download the eicar.com file from the FTP server.
l View the relevant logs on the Local-FortiGate GUI, and identify the action taken as a result of the
scanning.
If you require assistance, or to verify your work, the step-by-step instructions are provided below.

1. Continuing on the Local-Windows VM, open the FileZilla FTP client software from the desktop.
2. Click the Site Manager icon in the upper-left corner and select Linux.
3. On the Remote site side of the application (right), right-click the eicar.com file, and then select Download.

DO View
NOT REPRINT
the Antivirus Logs Exercise 2: Configuring Proxy-Based Antivirus Scanning
© FORTINET
The client should display an error message that the server aborted the connection. FortiGate sends the
replacement message as a server response.
In proxy-based inspection mode, FortiGate buffers the file to scan the content before
sending the file or a replacement message to the client.
4. Close the FileZilla FTP client.
View the Antivirus Logs
Now, you will check and confirm the logs for the test you just performed.
To view the antivirus logs

Forward Traffic.
2. Locate the antivirus logs message from when you tried to access the file from the FTP, and double-click the log
entry to view the details.

DO Exercise
NOT2: Configuring
REPRINT Proxy-Based Antivirus Scanning View the Antivirus Logs
© FORTINET
The Details tab shows forward traffic log information along with the action taken.
3. To view security log information, do one of the following:

l Select the Security tab. This includes information more specific to the security event, such as file name,
virus/botnet, reference, and so on.
l Click Log & Report > AntiVirus.

DO NOT REPRINT
© FORTINET
Lab 11: Intrusion Prevention System (IPS) and Denial of
Service (DoS)
In this lab, you will set up intrusion prevention system (IPS) profiles and denial of service (DoS) policies. You will
also use a vulnerability scanner and a custom script to generate attacks on Local-FortiGate.
Objectives
l Protect your network against known attacks using IPS signatures
l Use rate based signatures to block brute force attacks
l Mitigate and block DoS attacks
Time to Complete
Prerequisites

2. In the upper-right corner of the screen, in the admin drop-down menu, select Configuration > Restore.
3. Select Local PC, and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > Intrusion-Prevention-System > local-intrusion-
prevention-system.conf, and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Blocking Known Exploits
During this exercise, you will configure IPS inspection on Local-FortiGate.
Configure IPS Inspection
First, you will configure an IPS sensor that includes the signatures for known attacks on Windows operating
systems.
To configure IPS
2. Click Security Profiles > Intrusion Prevention.
4. In the Name field, type WEBSERVER for the new sensor name.
5. In the IPS Filters section, click Add Filter.
6. In the Add Filter window, click Add Filter.

7. Click Severity, type Medium in the search bar, and then click Medium:

DO Apply
NOT REPRINT
an IPS Sensor to a VIP Firewall Policy Exercise 1: Blocking Known Exploits
© FORTINET
8. Click Add Filter again.
9. Click Severity, type High in the search bar and then click High:
10. Click Add Filter one more time.

11. Click Severity, type Critical and then click Critical:
12. Click Use Filters.

All the signatures matching the filter are added to the IPS sensor and FortiGate will take the default action for
these signatures.
13. Click OK.

14. Click Apply.
Apply an IPS Sensor to a VIP Firewall Policy
You will apply the new IPS sensor to a firewall policy that allows external access to the web server running on
Local-Windows.

On the Local-FortiGate GUI (10.0.1.254), do the following:
l Configure a new virtual IP to map the external IP 10.200.1.200 to the internal IP 10.0.1.10, using
port1 as the external interface. Name the virtual IP VIP-WEB-SERVER.
l Create a new firewall policy to allow all inbound traffic to the virtual IP and enable the WEBSERVER IPS
sensor. Name the firewall policy Web_Server_Access_IPS.
After you complete the challenge, see Generate Attacks from the Linux Server on page 186

DO Exercise
NOT1: Blocking
REPRINT
Known Exploits Apply an IPS Sensor to a VIP Firewall Policy
© FORTINET
To create a virtual IP
1. Continuing on the Local-Fortigate GUI, click Policy & Objects > Virtual IPs.
2. Click Create New > Virtual IP.
Field Value
Name VIP-WEB-SERVER
Interface port1
External IP Address/Range 10.200.1.200
Mapped IP Address/Range 10.0.1.10
4. Click OK.
To configure a firewall policy

2. Click Create New and create a new firewall policy using the following settings:
Field Value
Name Web_Server_Access_IPS
Source all
Destination VIP-WEB-SERVER
Schedule always
Service ALL
Action ACCEPT
Inspection Mode Flow-based
NAT disabled
3. In the Security Profiles section, enable IPS, and from the drop-down list, select WEBSERVER .
The policy should look like the following example:

DO Generate
NOTAttacks
REPRINT
from the Linux Server Exercise 1: Blocking Known Exploits
© FORTINET
Configuring full SSL inspection would significantly increase the time required to
complete this lab. Therefore, for the purposes of this exercise, you will not configure
full SSL inspection.
4. Click OK.
Generate Attacks from the Linux Server
You will run a Perl script to generate attacks from the Linux server located in front of Local-FortiGate.
To generate attacks from the Linux server

1. Continuing on Local-Windows, open PuTTY and connect over SSH to the LINUX saved session.
2. At the login prompt, enter the user name student with the password password.
3. Run the following script to start the attacks:
nikto.pl -host 10.200.1.200

DO Exercise
NOT1: Blocking
REPRINT
Known Exploits Monitor the IPS
© FORTINET
Do not close the LINUX PuTTY session or traffic will stop generating.
Monitor the IPS
You will check the IPS logs to monitor for known attacks being detected and dropped by Local-FortiGate.

On the Local-FortiGate GUI (10.0.1.254), complete the following:
l Review the IPS logs for all detected and dropped attacks.
l Review the FortiGuard encyclopedia pages.
To monitor the IPS

Intrusion Prevention.
The IPS logs section will not display if there are no IPS logs. FortiGate displays this
section only after creating logs. After the attacks, if the Intrusion Prevention menu
item does not display in the GUI, refresh your browser or log out of the Local-FortiGate
GUI and log back in again.
2. Locate and review the relevant log entries for the detected and dropped attacks.
FortiGate will create an intrusion prevention log entry for each:
l Detected attack without blocking it

l Dropped attack with blocking it

DO Monitor
NOTthe REPRINT
IPS Exercise 1: Blocking Known Exploits
© FORTINET
3. Click a log entry, and then click Details.
4. Click the Attack Name link:
5. Review the FortiGuard encyclopedia pages for the signatures.

The FortiGuard encyclopedia provides information about signatures, such as severity, coverage, affected
products, impact, and recommended actions that you can take.
None of the affected products are currently installed on Local-Windows. This

information is important to make note of before you tune the WEBSERVER IPS
sensor. If the affected products aren't installed, is it really necessary to inspect those
packets?
6. Close the LINUX PuTTY.

DO NOT REPRINT
© FORTINET
Exercise 2: Using Rate Based IPS Signatures
In this exercise, you will configure a rate based signature to detect and block a brute force FTP attack.
Apply Rate Based Signatures
You will create a new IPS sensor, then enable and configure the appropriate signature to detect and block FTP
brute force attacks. You will then apply the IPS sensor to all outbound traffic on Local-FortiGate.
To create an IPS sensor

2. Click Security Profiles > Intrusion Prevention.
4. In the Name field, type FTP_BRUTE_FORCE.
5. In the Rate Based Signatures table, enable the FTP.Login.Brute.Force signature.
6. Double click the FTP.Login.Brute.Force signature and configure the values given in the table below:
Field Value
Threshold 5
Duration (seconds) 10
Track By Source IP
Action Reset
7. Click OK.
To apply IPS on outbound traffic

2. Double-click the existing Full_Access policy to edit it.
3. In the Security Profiles section, enable IPS, and in the drop-down list, select FTP_BRUTE_FORCE.
4. Click OK.
Test the Rate Based Signature
You will use a custom Windows batch script to generate invalid login attempts to the FTP server located on the
Linux VM. You will then verify your configuration using the IPS logs.

DO Test
NOT REPRINT
the Rate Based Signature Exercise 2: Using Rate Based IPS Signatures
© FORTINET
A typical brute force attack makes use of a dictionary of usernames and passwords. In
this scenario, the script is using an incorrect username and password to flood the FTP
server with invalid login attempts. The 530 Login incorrect responses from the
FTP server should be enough to trigger the signature.
To run the Windows batch script

1. Continuing on the Local-Windows VM, open a command prompt window.
2. Change the working directory to Resources\FortiGate-Security\Intrusion-Prevention-System:
>cd Desktop
>cd Resources
>cd FortiGate-Security
>cd Intrusion-Prevention-System
3. Execute the Windows batch script:

bruteFTP
4. Wait for the script to finish running all 10 attempts, and then press any key to stop the script.
5. Leave the command prompt window open in the background.
To view the IPS logs

1. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and click Log & Report >
Intrusion Prevention.
2. Locate the logs for the FTP brute force attacks:
Why are there only six log entries, when the script generated 10 login attempts?

DO Exercise
NOT2: Using
REPRINT
Rate Based IPS Signatures Test the Rate Based Signature
© FORTINET
Stop and think!
The FTP.Login.Brute.Force rate based signature was configured with a threshold of five. The IPS
signature action only triggered after the threshold was met.
To verify the IPS signature action

1. Continuing on the Local-Windows VM, go back to the command prompt window.
2. Scroll up and locate Attempt 4 and Attempt 5.
Note that for Attempt 4, the server response is 530 Login incorrect. However, for Attempt 5,
the error message is Connection closed by remote host. This is where the rate based signature's
action triggers, and the FTP client's connections are reset. This Connection closed by remote
host message repeats until the script ends with Attempt 10.
3. Close the command prompt window.

DO NOT REPRINT
© FORTINET
Exercise 3: Mitigating a DoS Attack
In this exercise, you will configure the Local-FortiGate for DoS protection.
Create a DoS Policy
You will create a DoS policy to detect and block an icmp flood attack

On the Local-FortiGate GUI (10.0.1.254 | admin/ password), do the following:
l Create a new IPv4 DoS policy for port1.

l Configure the policy to block ICMP floods with a threshold of 200.
l Enable logging.
After you complete the challenge, see Test the DoS Policy on page 193.
To create a DoS policy

2. Click Policy & Objects > IPv4 DoS Policy.
Field Value
Source Address all
Destination Address all
Services ALL
5. Locate icmp_flood, and enable Status and Logging.

6. Set the Action to Block and the Threshold to 200.

DO Exercise
NOT3: Mitigating
REPRINT a DoS Attack Test the DoS Policy
© FORTINET
7. Click OK.
Test the DoS Policy
You will generate an ICMP flood from the Linux VM. This will trigger the DoS policy on Local-FortiGate.
To test the DoS policy

1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LINUX saved session.
2. At the login prompt, enter the user name student with a password of password.
3. Execute the following command to generate an ICMP flood to Local-FortiGate:
sudo ping -f 10.200.1.1
A password prompt for the studentaccount is displayed
The command option -f causes the ping utility to run continuously, and not wait for
replies between ICMP echo requests. It also requires super-user privilege.
4. Enter password.
For every ping sent, the SSH session will display a period.
5. Leave the SSH connection open with the ping running (you can minimize the window).
To view the anomaly logs

1. Return to the browser where you are logged in to the Local-FortiGate GUI, and press F5 to refresh the browser (or
log out and log in).
2. Click Log & Report > Anomaly.

DO Test
NOT REPRINT
the DoS Policy Exercise 3: Mitigating a DoS Attack
© FORTINET
The Anomaly logs section will not display if there are no anomaly logs. If the
Anomaly menu item does not display in the GUI, refresh the browser or log out from
the Local-FortiGate GUI and log back in again.
3. Examine the logs.

Note that the ICMP flood has been blocked. This is indicated by the entry clear_session in the Action field.
4. Go back to the PuTTY window and press Ctrl+C to stop the ping.
5. Close the PuTTY session.

DO NOT REPRINT
© FORTINET
Lab 12: SSL-VPN
In this lab, you will configure an SSL-VPN connection in tunnel and web modes. You will also manage user groups
and portals for an SSL-VPN.
Objectives
l Configure and connect to an SSL-VPN.
l Enable authentication security.
l Configure a firewall policy for SSL-VPN users to access private network resources.
l Customize the SSL-VPN portal for web mode.
l Configure FortiClient for the SSL-VPN connection in tunnel mode.
Time to Complete
Prerequisites


4. Click Desktop > Resources > FortiGate-Security > SSL-VPN > local-SSL-VPN.conf, and then click
Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Web Mode SSL-VPN
On FortiGate, there are two modes you can configure to allow remote access through SSL-VPN: web mode and
tunnel.
In this exercise, you will test web mode, which will allow SSL-VPN users to connect from the Remote-Windows
VM, to resources located in the local subnet (10.0.1.0/24).
Configure the SSL-VPN Settings
Now, you will configure the SSL-VPN settings to allow the remote connection shown in the following example:
To create a user for SSL-VPN connections

2. Click User & Device > User Definition.
4. Click Local User, and then click Next.
5. Enter the following credentials for the remote user, and then click Next:
Username student
Password fortinet
6. Leave the contact info empty, and click Next.

7. For User Account Status, verify that Enabled is selected.
8. Enable User Group, click the + field that appears, and then, in the right pane, select SSL_VPN_USERS.
9. Click Submit.
The group SSL_VPN_USERS has been preconfigured for the purpose of this lab.
To review the settings of this group, click User & Device > User Groups.

DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL-VPN Create a Firewall Policy for SSL-VPN
© FORTINET
To configure the SSL-VPN settings for web access
1. Continuing on the Local-FortiGate GUI, click VPN > SSL-VPN Settings.
2. In the Connection Settings section, configure the following settings:
Field Value
Listen on Interface(s) port1
Listen on Port 10443
Restrict Access Allow access from any host
Inactive For 3000 seconds
Server Certificate Fortinet_Factory
3. In the Tunnel Mode Client Settings section, configure the following settings:
Field Value
Address Range Automatically assign addresses
4. In the Authentication/Portal Mapping section, select All Other Users/Groups, and then click Edit.
5. In the Portal drop-down list, select web-access, and then click OK.
6. Click Apply to save the changes.
7. Click OK to confirm the use of the built-in certificate.
Notice the warning message displayed on the top of this page. It indicates that you need to create a firewall
policy for SSL-VPN connections.
Create a Firewall Policy for SSL-VPN
Now, you will create a firewall policy that allows traffic to the local subnet (10.0.1.0/24) from remote users
connected to the SSL-VPN portal.

DO Test
NOT REPRINT
the SSL-VPN Access Exercise 1: Configuring Web Mode SSL-VPN
© FORTINET
To create a firewall policy for SSL-VPN

2. Click Create New, and then configure the following firewall policy settings:
Field Value
Name SSL-VPN-Access
Incoming Interface SSL-VPN tunnel interface (ssl.root)
Source Address > SSLVPN_TUNNEL_ADDR1
User > SSL_VPN_USERS
Destination LOCAL_SUBNET
Schedule always
Service ALL
Action ACCEPT
Inspection mode Flow-based
NAT Disabled
3. Click OK.
The SSL-VPN firewall policy will only allow traffic from users within the group SSL_
VPN_Users.
Test the SSL-VPN Access
Now, you will test the SSL-VPN by accessing resources remotely within the local subnet (10.0.1.0/24) .

DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL-VPN Test the SSL-VPN Access
© FORTINET
For this, you will connect to the SSL-VPN portal using the Remote-Windows VM, and then you'll perform an RDP
connection to the Local-Windows VM.
To access the SSL-VPN portal

1. In your lab environment, connect to the Remote-Windows VM.
2. Open Firefox and connect to:
https://10.200.1.1:10443/
A security warning appears.
Stop and think!

Why do you receive a security warning?
For SSL connections, FortiGate is using a built-in certificate, which is signed by a certificate authority that
the browser does not trust.
3. Click Advanced, click Add Exception, and then click Confirm Security Exception.
The remote login page opens.
4. Log in as student with the password fortinet.

The SSL-VPN web portal opens. The portal is using default settings.
To test the SSL-VPN portal

1. Continuing on the SSL-VPN portal where you are logged in as student, click Quick Connection.
Notice all the available options the SSL-VPN portal allows for connections.
2. Click RDP, and configure the following setting:
Field Value
Host 10.0.1.10
3. Keep the default values for the remaining settings, and then click Launch.
4. Wait five seconds, and then click TRAININGAD\Administrator when it appears.
5. Enter the password password.
You are now remotely connected to the Local-Windows VM.
6. Close the web browser that is running the RDP session.

7. In the upper-right corner, click student > Logout to log out of the SSL VPN portal.

DO Add
NOT REPRINT
an Admin-Based Bookmark to the SSL-VPN Portal Exercise 1: Configuring Web Mode SSL-VPN
© FORTINET
Add an Admin-Based Bookmark to the SSL-VPN Portal
In this exercise, you will customize the SSL-VPN portal with a new color and a predefined bookmark.
To customize the SSL-VPN Portal

2. From the environment find and click Send Ctrl-Alt-Del.
3. Click theTRAININGAD\Administrator user account.
4. Enter the password password.
5. Open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and password
password.
6. Click VPN > SSL-VPN Portals.
7. Select web-access, and then click Edit.
Field Value
Portal Message My Portal
Theme Red
Show Connection Launcher <disable>
User Bookmarks <disable>
9. In the Predefined Bookmarks section, click Create New, and then configure the following settings:
Field Value
Name Local-Windows VM
Type HTTP/HTTPS
URL http://10.0.1.10
Single Sign-On Disabled
10. Click OK.

11. Click OK again to save the portal's settings.

DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL-VPN Test SSL-VPN Access Using the Predefined Bookmark
© FORTINET
Test SSL-VPN Access Using the Predefined Bookmark
Now, you will connect again to the SSL-VPN portal on the Remote-Windows VM to access the resources in the
local subnet (10.0.1.0/24).
For this, you will access the Local-Windows VM using the predefined bookmark on the SSL-VPN Portal.
Notice that the SSL-VPN Portal looks different and provides fewer settings.
To test the bookmark

1. Return to the Remote-Windows VM.
2. Open Firefox, and then reconnect to the SSL VPN portal at:
https://10.200.1.1:10443/
3. Log in using the username student with the password fortinet.

Notice the SSL VPN portal no longer allows quick connections or to add bookmarks.
4. Click the Local-Windows VM bookmark.

You will connect to the web server running on the Local-Windows VM at 10.0.1.10.

DO Examine
NOTtheREPRINT
Web Mode Mechanism (Reverse HTTP Proxy) Exercise 1: Configuring Web Mode SSL-VPN
© FORTINET
Examine the Web Mode Mechanism (Reverse HTTP Proxy)
Now, you will examine the reverse HTTP proxy mechanism, to learn how SSL-VPN connections in web mode
work..
To examine the reverse HTTP proxy mechanism

1. Continuing on the Remote-Windows VM where you are connected to the web server running on the Local-
Windows VM at 10.0.1.10, examine the URL in the address bar.
If you were on the local network while accessing the website, the address would be http://10.0.1.10.
But, because you are accessing it remotely through FortiGate's HTTP proxy, the URL is different.
Notice the URL structure in the browser's address bar:

https://10.200.1.1:10443/proxy/..../http/10.0.1.10/
What does it mean?
Part of the URL Description
https://10.200.1.1:10443 Indicates that the connection is SSL/TLS-encrypted, and that the portal is
on FortiGate's port1 SSL-VPN gateway.
/proxy/..../http/ Indicates that the connection is being handled by FortiGate's HTTP

reverse proxy.
10.0.1.10/ Indicates the destination IP address of the website inside your private
network, which you are accessing through the VPN.
FortiGate encrypts the connection to the browser, but the destination server's IP
address in the URL is displayed in clear text, not hidden from users. The secondary
connection, from FortiGate's HTTP proxy to the bookmarked website, is not
encrypted.
Monitor an SSL-VPN User
Now, you will monitor and disconnect an SSL-VPN user from the FortiGate GUI.
To monitor and disconnect an SSL-VPN user

1. Return to the Local-Windows VM where you are logged in to the Local-FortiGate GUI.
2. Click Monitor > SSL-VPN Monitor.
You can see the student user is connecting from the remote host 10.200.3.1.

DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL-VPN Monitor an SSL-VPN User
© FORTINET
3. Right-click student, and select End Session.
4. Click OK.
The student user no longer appears in the SSL-VPN monitor.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring SSL-VPN Tunnel Mode
In this exercise, you will change the SSL-VPN settings to allow remote access to the resources in the local subnet
(10.0.1.0/24), but perform a connection in tunnel mode from the Remote-Windows VM.
You will use the remote access module of FortiClient, which supports Fortinet's SSL-VPN client.
FortiClient is already installed on the Remote-Windows VM.
Add Tunnel Mode
Now, you will change the SSL-VPN portal mapping settings to use tunnel-access, in order to allow connections
in tunnel mode only.
The full-access setting available on FortiGate supports both web and tunnel mode.
To add tunnel mode

2. Click VPN > SSL-VPN Settings.
3. In the Authentication/Portal Mapping section, select All Other Users/Groups, and then click Edit.
4. In the Portal drop-down list, select tunnel-access, and click OK.

5. Click Apply.

DO Exercise
NOT2: Configuring
REPRINT SSL-VPN Tunnel Mode Configure the Routing for Tunnel Mode
© FORTINET
Configure the Routing for Tunnel Mode
Now, you will establish the routing address to use in tunnel mode.
Notice that in tunnel mode, the FortiClient establishes one or more routes in the SSL-VPN user's host after the
tunnel is connected. Traffic destined to the internal subnets is correctly routed through the tunnel.
To configure the routing for tunnel mode

1. Continuing on the Local-FortiGate GUI, click VPN > SSL-VPN Portals.
2. Select the tunnel-access portal, and then click Edit.
3. In the Tunnel Mode section, set the Routing Address to LOCAL_SUBNET.
4. Click OK.
Configure FortiClient for SSL-VPN connections
SSL-VPN connections in tunnel mode require FortiClient. You will use FortiClient that is installed on the Remote-
Windows VM to test your configuration.
To configure FortiClient for SSL-VPN

1. Connect to the Remote-Windows VM.
2. Start the FortiClient application located on the desktop.

DO Test
NOT REPRINT
SSL-VPN in Tunnel Mode Exercise 2: Configuring SSL-VPN Tunnel Mode
© FORTINET
3. Click REMOTE ACCESS, and then click Configure VPN .

4. Select the SSL-VPN tab, and then configure the following settings:
Field Value
Connection Name Local-FortiGate
Remote Gateway 10.200.1.1
Customize port <enable> | 10443
5. Click Save.
Test SSL-VPN in Tunnel Mode
Now, you will connect using the student account to test tunnel mode.
To connect in tunnel mode

1. Open FortiClient, and then click REMOTE ACCESS.
2. Enter the username student with the password fortinet.

DO Exercise
NOT2: Configuring
REPRINT SSL-VPN Tunnel Mode Test SSL-VPN in Tunnel Mode
© FORTINET
3. Click Connect.
4. Click Yes to accept the certificate.
The tunnel is connected.
To test the tunnel

1. Continuing on the Remote-Windows VM, open Firefox and access the following URL:
2. Look at the URL.

You are connected to the web server URL as if you were based in the local subnet (10.0.1.0/24).

DO Review
NOT VPNREPRINT
Events Exercise 2: Configuring SSL-VPN Tunnel Mode
© FORTINET
This time, you are not using the reverse HTTP proxy as in the case of web-access mode. The IP traffic is
directly encapsulated over HTTPS and sent through the tunnel.
3. Return to FortiClient, and then click Disconnect.
To attempt SSL-VPN access by web mode

1. Continuing on the Remote-Windows VM, open a web browser and log in to the SSL-VPN portal at
https://10.200.1.1:10443/ using the username student and the password fortinet.
2. View the warning message.
The web access for SSL-VPN is not available because you set up the SSL-VPN settings for tunnel-access.
The full-access setting supports both web and tunnel modes.
3. Close the web browser.
Review VPN Events
Now, you'll review the VPN events for both of the SSL-VPN connections you performed in this lab (web and tunnel
modes).
To review VPN events for SSL-VPN connections

2. Open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and password
password.
3. Click Log & Report > VPN Events.
4. Compare the log details of the tunnel-up logs you see.
Hint: Use your log filters to filter on Action = tunnel-up.
The most recent tunnel-up log shows one IP address under Remote IP. This log shows the recent
connection to the SSL-VPN portal. Even though the SSL-VPN portal presented a warning message and it did
not allow remote access to the local resources, FortiGate shows that an SSL-VPN connection was
established and the tunnel was up.

DO Exercise
NOT2: Configuring
REPRINT SSL-VPN Tunnel Mode Review VPN Events
© FORTINET
The second most recent tunnel-up log in the VPN event list, shows the SSL-VPN connection in tunnel mode
through FortiClient. Notice this log presents two IP addresses:
l Remote IP: IP address of the remote user's gateway (egress interface).

l Tunnel IP: IP address FortiGate assigns to the virtual network adapter fortissl.
Stop and think!

Aside from SSL-VPN connections in web mode showing one IP address and tunnel mode showing
two IP addresses, what other indicator shows how SSL-VPN users are connected?
Notice the Tunnel Type indicator in the log details shown in the previous step.
l ssl-web for web mode.

l ssl-tunnel for tunnel mode.
1.

DO NOT REPRINT
© FORTINET
Lab 13: Dialup IPsec VPN
In this lab, you will configure a dialup VPN between two FortiGate devices. You will also create a dialup VPN
between FortiGate and FortiClient.
Objectives
l Deploy a dialup VPN between two FortiGate devices
l Deploy a dialup VPN between FortiGate and FortiClient
Time to Complete
Prerequisites
Before beginning this lab, you must restore a configuration file on Remote-FortiGate and Local-FortiGate .


4. Click Desktop > Resources > FortiGate-Security > Dialup-IPsec > Dialup-IPsec-Two-FortiGates >
remote-dialup-IPsec-TwoFGT.conf, and then click Open.
5. Click OK.

DO Lab
NOT REPRINT
13: Dialup IPsec VPN
© FORTINET

4. Click Desktop > Resources > FortiGate-Security > Dialup-IPsec > Dialup-IPsec-Two-FortiGates > local-
dialup-IPsec-TwoFGT.conf, and then click Open.
5. Click OK.

DO NOT REPRINT
© FORTINET
Exercise 1: Configuring a Dialup IPsec VPN Between Two
FortiGate Devices
In this exercise, you will configure a dialup VPN between the Local-FortiGate and the Remote-FortiGate. Local-
FortiGate will act as dialup server and Remote-FortiGate will act as dialup client.
Create Phase 1 and Phase 2 on Local-FortiGate (Dialup Server)
Now, you will configure the IPsec VPN by creating phases 1 and 2.
To create phase 1 and phase 2

2. Click VPN > IPsec Tunnels, and then click Create New.
3. Complete the following:
Field Value
Name ToRemote
Template Type Custom
4. Click Next.
5. In the Network section, configure the following settings:
Field Value
Remote Gateway Dialup user
Interface port1
6. In the Authentication section, configure the following settings:
Field Value
Method Pre-shared Key
Pre-shared Key fortinet
Mode Aggressive
Accept Types Specific peer ID
Peer ID fortinet

DO Exercise
NOT1:Devices
FortiGate
Configuring a Dialup IPsec VPN Between Two
REPRINT Create Firewall Policies for VPN Traffic on Local-
FortiGate (Dialup server)
© FORTINET
The peer ID shown in the configuration above was selected, which you need if you
have more than one dialup client.
7. Keep the default values for the remaining settings.

8. In the Phase 2 Selectors section, complete the following:
Field Value
Local Address 10.0.1.0/24
Remote Address 10.0.2.0/24
9. Click OK.
Although you have created a route-based IPsec tunnel, you do not need to add a static
route because it is a dialup VPN. FortiGate will dynamically add or remove appropriate
routes to each dialup peer, each time the peer's VPN is trying to connect.
Create Firewall Policies for VPN Traffic on Local-FortiGate (Dialup server)
Now, you will create two firewall policies between port3 and To Remote: one for each traffic direction.
To create the firewall policies for VPN traffic


DO Create
NOT Firewall Policies for VPN Traffic on Local-
FortiGate REPRINT
(Dialup server)
FortiGate Devices
© FORTINET
Field Value
Name Remote_out
Outgoing Interface To Remote
Source LOCAL_SUBNET
Destination REMOTE_SUBNET
Schedule always
Service ALL
Action ACCEPT
4. In the Firewall/Network Options section, disable NAT.

5. Click OK.
Field Value
Name Remote_in
Incoming Interface To Remote
Source REMOTE_SUBNET
Schedule always
Service ALL
Action ACCEPT

9. Click OK.

DO Exercise
NOT1:Devices
FortiGate
Configuring a Dialup IPsec VPN Between Two
REPRINT Create Phase 1 and Phase 2 on Remote-FortiGate
(Dialup Client)
© FORTINET
Create Phase 1 and Phase 2 on Remote-FortiGate (Dialup Client)
Now, you will add phases 1 and 2 on Remote-FortiGate.
To create phase 1 and phase 2

1. Continuing on the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1
with the user name admin and password password.
2. Click VPN > IPsec Tunnels.
Field Value
Name ToLocal
Template Type Custom
5. Click Next.
6. In the Network section, configure the following settings:
Field Value
Remote Gateway Static IP Address
IP Address 10.200.1.1
Interface port4
7. In the Authentication section, configure the following settings:
Field Value
Method Pre-shared Key
Pre-shared Key fortinet
Mode Aggressive
Accept Types Any peer ID
8. In the Phase 1 Proposal section, configure the following settings:
Field Value
Local ID fortinet

DO Create
NOT
(Dialup
Phase 1 and Phase 2 on Remote-FortiGate
REPRINT
Client)
FortiGate Devices
© FORTINET
The local ID should be same as the peer ID that you configured on Local-FortiGate
that is acting as the dialup server.
9. Keep the default values for the remaining settings.

10. In the Phase 2 Selectors section, configure the following settings:
Field Value
Local Address 10.0.2.0/24
Remote Address 10.0.1.0/24
11. Click OK.

DO Exercise
NOT
Two
1: Configuring a Dialup IPsec VPN Between
REPRINT
FortiGate Devices
Create a Static Route for Route-Based VPN on Remote-
FortiGate (Dialup Client)
© FORTINET
Now the quick mode selectors in both sides mirror each other. If that is not the case,
the tunnel will not come up.
Create a Static Route for Route-Based VPN on Remote-FortiGate (Dialup Client)
Now, you will create one static route, because the current VPN is route based.
To create a static route for a route-based VPN

1. Continuing on the Remote-FortiGate GUI, click Network > Static Routes.
Feild Value
Destination Subnet
10.0.1.0/24
Interface ToLocal
4. Click OK.
Create the Firewall Policies for VPN Traffic on Remote-FortiGate (Dialup Client)
Now, you will create two firewall policies between port6 and To Local: one for each traffic direction.

DO Create
NOT the Firewall Policies for VPN Traffic on Remote-
FortiGate REPRINT
(Dialup Client)
Exercise 1: Configuring a Dialup IPsec VPN Between
Two FortiGate Devices
© FORTINET
To create the firewall policies for VPN traffic
1. Continuing on the Remote-FortiGate GUI, click Policy & Objects > IPv4 Policy.
Field Value
Name Local_out
Outgoing Interface ToLocal
Source REMOTE_SUBNET
Schedule always
Service ALL
Action ACCEPT

5. Click OK.
6. Click Create New again.
Field Value
Name Local_in
Incoming Interface ToLocal
Source LOCAL_SUBNET
Destination REMOTE_SUBNET
Schedule always
Service ALL
Action ACCEPT

9. Click OK.

DO Exercise
NOT
Two
1: Configuring a Dialup IPsec VPN Between
REPRINT
FortiGate Devices
Create the Firewall Policies for VPN Traffic on Remote-
FortiGate (Dialup Client)
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 2: Testing and Monitoring the VPN
Now that you have configured the VPN on both FortiGate devices, you will test the VPN.
To test the VPN

2. Click Monitor > IPsec Monitor.
Notice that the VPN is currently down.
3. Right-click the VPN, and then click Bring Up > All Phase 2 Selectors.
The Name column of the VPN now contains a green up arrow, indicating that the tunnel is up.
Stop and think!

Do I always have to bring up the tunnel manually after creating it?
No. With the current configuration, the tunnel will stay down until you manually bring it up or there is traffic
that should be routed through the tunnel. Because you are not generating traffic between 10.0.2.0/24
and 10.0.1.0/24 subnets yet, the tunnel is still down. If you had generated the required traffic while the
tunnel was down, it would have come up automatically.
You can only initiate a tunnel from Remote-FortiGate because it is a dialup client .
4. Switch to the Remote-Windows VM.

5. Open a command prompt window, and then run the following command to ping the Local-Windows VM:
ping 10.0.1.10
The ping should work.

7. On the Remote-FortiGate GUI, click Monitor > IPsec Monitor.
8. Click Refresh to refresh the screen.
You will notice that the counters for Incoming Data and Outgoing Data have increased. This indicates that
the traffic between 10.0.1.10 is 10.0.2.10 is being encrypted successfully and routed through the
tunnel.

DO Exercise
NOT2: Testing
REPRINT
and Monitoring the VPN
© FORTINET
9. Open a new browser tab and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and
password password.
10. Click Monitor > Routing Monitor.
Find the static route that was dynamically added to the FortiGate.
11. View the details of the To Remote VPN connection.

Notice the Remote Gateway IP address.

DO NOT REPRINT
© FORTINET
Exercise 3: Creating an IPsec VPN Between FortiGate
and FortiClient
Now, you will now create a dial-up VPN between FortiGate and FortiClient.
Prerequisites
Before beginning this lab, you must restore a configuration file on Remote-FortiGate and Local-FortiGate.


4. Click Desktop > Resources > FortiGate-Security > Dialup-IPsec > Dialup-IPsec-Forticlient > remote-
dialup-IPsec-VPN.conf, and then click Open.
5. Click OK.


DO Exercise
NOT3: REPRINT
Creating an IPsec VPN Between FortiGate and FortiClient Configure a Dialup VPN
© FORTINET

4. Click Desktop > Resources > FortiGate-Security > Dialup-IPsec > Dialup-IPsec-Forticlient > local-
dialup-IPsec-VPN.conf>, and then click Open.
5. Click OK.
Configure a Dialup VPN
Now, you will create the dialup VPN on Local-FortiGate.
To create the dialup VPN

1. Continuing on the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254
with the user name admin and password password.
2. Click VPN > IPsec Tunnels, and then click Create New.
Field Value
Name FClient
Template Type Remote Access
Remote Device Type Client-based
FortiClient

DO Configure
NOT aREPRINT
Dialup VPN Exercise 3: Creating an IPsec VPN Between FortiGate and FortiClient
© FORTINET
4. Click Next.
Field Value
Authenticated Method Pre-shared Key
Pre-Shared Key fortinet
User Group training
For the purpose of this exercise, the user group training is pre-configured for you.
6. Click Next.
Field Value
Local Interface port3
Local Address LOCAL_SUBNET
Client Address Range 172.20.1.1-172.20.1.5

DO Exercise
NOT3: REPRINT
Creating an IPsec VPN Between FortiGate and FortiClient Configure a Dialup VPN
© FORTINET
Field Value
Subnet 255.255.255.0
DNS Server Use System DNS
Enable IPv4 Split Tunnel <enable>
Allow Endpoint Registration <disable>
8. Click Next.
9. Verify that Save Password is enabled.
10. Click Create.
The VPN wizard creates IPsec phases 1 and 2, as well as client address range firewall address, and one
firewall policy that allows incoming traffic from the VPN to the internal subnet.
VPN is setup correctly and you can view by clicking Show Tunnel List.
Please ignore the message Unable to setup VPN ,if you can view the VPN in the
tunnel list.
11. Click Show Tunnel List to view the tunnel.
Although you have created a route-based IPsec tunnel, you do not need to add a static
route because it is a dialup VPN. FortiGate will dynamically add or remove appropriate
routes to each dialup peer, each time a peer's VPN is established or disconnected.

DO Configure
NOTFortiClient
REPRINT
for Dialup VPN Exercise 3: Creating an IPsec VPN Between FortiGate and FortiClient
© FORTINET
Configure FortiClient for Dialup VPN
Now, you will configure the FortiClient IPsec client to connect to Local-FortiGate. You will use the FortiClient
installed on the Remote-Windows VM.
To configure FortiClient for dialup VPN

1. On the Remote-Windows VM, launch the FortiClient application from the desktop.
2. Click REMOTE ACCESS.
3. Click the Option icon on the top right corner, and click Add a new connection.
New VPN Connection configuration settings will appear

4. Select IPsec VPN .

DO Exercise
NOT3: REPRINT
Creating an IPsec VPN Between FortiGate and FortiClient Connect to the Dialup VPN
© FORTINET
Field Value
Connection Name FC_VPN
Remote Gateway 10.200.1.1
Authentication Method Pre-shared key
fortinet
Authentication (XAuth) Save Login
Username student
6. Click Save.
Connect to the Dialup VPN
Now, you will use FortiClient to connect to the dialup VPN you created on Local-FortiGate.
To connect to the dialup VPN

1. Continuing on the Remote-Windows VM in the FortiClient application, enter the password fortinet.

DO Connect
NOTto the
REPRINT
Dialup VPN Exercise 3: Creating an IPsec VPN Between FortiGate and FortiClient
© FORTINET
2. Click Connect.
Wait for few seconds.
3. Open the FortiClient application that has minimized to the toolbar.

A green dotted line confirms that the tunnel is up.

DO Exercise
NOT3: REPRINT
FortiClient
Creating an IPsec VPN Between FortiGate and Check the IP Address and Route Added to the Remote-
Windows VM
© FORTINET
Check the IP Address and Route Added to the Remote-Windows VM
While the dialup VPN is up, the Remote-Windows VM receives an IP address in the 172.20.1.1 -
172.20.1.5 range. FortiGate also installs a route to the subnet 10.0.1.0/24.
To check the IP address and route added to the Remote-Windows VM

1. Continuing on the Remote-Windows VM, open a command prompt window and enter the following command:
ipconfig /all
2. Analyze the output.

You should observe a virtual ethernet adapter with an IP address in the 172.20.1.1 to 172.20.1.5
range.
3. Enter the following command to display the routing table information:

route print
4. Locate the 10.0.1.0/24 network entry in the output.

DO Test
NOT REPRINT
the Dialup VPN Exercise 3: Creating an IPsec VPN Between FortiGate and FortiClient
© FORTINET
5. Close the command prompt.
Test the Dialup VPN
Now, you will test the dialup VPN by sending traffic from the Remote-Windows VM to the Local-Windows VM.
To test the dialup VPN

1. Continuing on the Remote-Windows VM, in the command prompt window, try to ping the Local-Windows VM:
ping 10.0.1.10
The ping succeeds, confirming that the tunnel is working.

3. In the browser tab where you are logged in to the Local-FortiGate GUI, click Monitor > Routing Monitor.
4. Find the static route that was dynamically added to the FortiGate.

DO Exercise
NOT3: REPRINT
Creating an IPsec VPN Between FortiGate and FortiClient Disconnect the Dialup VPN
© FORTINET
5. Click Monitor > IPsec Monitor.

6. View the details of the FClient_0 VPN connection.
Notice the Remote Gateway IP address.
Disconnect the Dialup VPN
Now, you will disconnect the Remote-Windows VM from the dialup VPN.
To disconnect the dialup VPN

1. On the Remote-Windows VM, open FortiClient.
2. Click Disconnect.

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiGate Security 6.2 Lab Guide-Online

Uploaded by

Copyright:

Available Formats

FortiGate Security 6.2 Lab Guide-Online

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiGate Security 6.2 Lab Guide-Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

FortiGate Security Lab

Fortinet Network Security Expert Program (NSE)

Virtual Lab Basics 9

FortiGate Security 6.2 Lab Guide 9

To run the remote access test

2. Inside the Speed Test box, click Run.

10 FortiGate Security 6.2 Lab Guide

To log in to the remote lab

3. Enter your first and last name.

FortiGate Security 6.2 Lab Guide 11

5. To open a VM from the dashboard, do one of the following:

Follow the same procedure to access any of your VMs.

12 FortiGate Security 6.2 Lab Guide

Disconnections and Timeouts

If that fails, see Troubleshooting Tips on page 15.

The GUIs of some Fortinet devices require a minimum screen size.

FortiGate Security 6.2 Lab Guide 13

Sending Special Keys

14 FortiGate Security 6.2 Lab Guide

FortiGate Security 6.2 Lab Guide 15

16 FortiGate Security 6.2 Lab Guide

To expedite the response, enter the following command in the CLI:

FortiGate Security 6.2 Lab Guide 17

18 FortiGate Security 6.2 Lab Guide

Explore the CLI

To explore the CLI

get system status

To continue scrolling Space bar

To scroll one line at a time Enter

5. Enter the following command:

The ? character is not displayed on the screen.

6. Press the Up Arrow key twice.

FortiGate Security 6.2 Lab Guide 19

Previous command Up Arrow

Next command Down Arrow

Beginning of line CTRL+A

End of line CTRL+E

Back one word CTRL+B

Forward one word CTRL+F

Delete current character CTRL+D

Clear screen CTRL+L

Abort command and exit CTRL+C

Auto repeat history CTRL+P

8. Enter the following command:

9. Type exe, and then press the Tab key.

show system interface port3

12. Enter the following command:

show full-configuration system interface port3

20 FortiGate Security 6.2 Lab Guide

FortiGate Security 6.2 Lab Guide 21

Restore Configuration From a Backup

Now, you will restore a configuration from a backup.

To restore a configuration from a backup

22 FortiGate Security 6.2 Lab Guide

FortiGate Security 6.2 Lab Guide 23

Back Up and Encrypt a Configuration File

To save an encrypted configuration backup

24 FortiGate Security 6.2 Lab Guide

Take the Expert Challenge!