FortiGate Security

Introduction to FortiGate and the Security Fabric

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

High-Level Features

Setup Decisions

Basic Administration

Built-In Servers

Fundamental Maintenance

FortiGate Within the Security Fabric

2
High-Level Features
Objectives
• Identify platform design features of FortiGate
• Identify features of FortiGate in virtualized networks and the cloud
The Modern Context of Network Security
• Firewalls are more than gatekeepers on the network perimeter.
• Today’s firewalls are designed in response to multi-faceted and multi-device
environments with no identifiable perimeter:
o Mobile workforce
o Partners accessing your network services
o Public and private clouds
o Internet of things (IoT)
o Bring your own device (BYOD)
• Firewalls are expected to perform different functions within a network.
o Different deployment modes:
• Distributed enterprise firewall
• Next-generation firewall
• Internal segmentation firewall
• Data center firewall
o DNS, DHCP, web filter, intrusion prevention system (IPS), and so on

4
 Platform Design

FortiGuard Subscription Services

• Threat intelligence • Centralized management

Next gen. Web

FortiClient firewall
Antivirus
filter
IPS … FortiWeb

FortiSandbox FortiMail
FortiOS

FortiASIC optimized hardware/hypervisor

Integration

5
Topology in the Cloud
• Deploy FortiGate in FortiGate VM Specifications
virtualized networks
Licenses Max. 1 / 2 / 4 / 8 vCPU
o FortiGate VM – Same
features as physical FortiGate
VMware, Hyper-V,
Connector FortiGate
appliance except FortiASIC KVM, Citrix Xen
deployment VMX or VM Server,
o FortiGate VMX – Subset of Hypervisor
Open Source Xen,
features for VMware NSX Azure, Amazon AWS
(east-west) data flows BYOL & on-demand
o FortiGate Connector for
Memory Max. 1/4/8/12 GB
Cisco ACI – Subset for
Cisco ACI (north-south) 10/100/1000
2-4 virtual NICs
data flows. Integrates Interfaces
physical or virtual
Storage Capacity 40+ GB
appliance.

• Faster setup and

teardown: SDN + VMs

6
Setup Decisions
Objectives
• Identify the factory defaults
• Select an operation mode
• Understand FortiGate’s relationship with FortiGuard and distinguish between live
queries and package updates
Modes of Operation
NAT Transparent

• FortiGate is an OSI Layer 3 router • FortiGate is an OSI Layer 2 switch or

• Interfaces have IP addresses bridge

• Packets are routed by IP • Interfaces do not have IPs

• Cannot route packets, only forward or
block

8
Factory Default Settings
• Port1 or internal interface IP: 192.168.1.99/24
• PING, HTTP, HTTPS, and SSH protocol management enabled
• Built-in DHCP server is enabled on port1 or internal interface
o Only on entry-level models that support DHCP server
• Default login:
User: admin
Password: (blank)
o Both are case sensitive
o Modify the default (blank)
root password
• Can access FortiGate on the CLI
o Console: without network
o CLI Console widget and terminal emulator, such as PuTTY or Tera Term

9
FortiGuard Subscription Services
• Internet connection and contract required
• Provided by FortiGuard Distribution Network (FDN)
o Major data centers in North America, Asia, and Europe
• Or, from FDN through your FortiManager
o FortiGate prefers data center in nearest time zone,
but will adjust by server load
• Package updates: FortiGuard Antivirus and IPS
o update.fortiguard.net
o TCP port 443 (SSL)
• Live queries: FortiGuard Web Filtering, DNS Filtering, and Antispam
o service.fortiguard.net
o Proprietary protocol on UDP port 53 or 8888

10
Basic Administration
Objectives
• Manage administrator profiles
• Manage administrative users
• Define the configuration method for administrative users
• Control administrative access to the FortiGate GUI and CLI
• Manage specific aspects of the network interfaces
Administration Methods

CLI
Console, SSH, Telnet, GUI Widget

GUI
FortiExplorer, Web Browser (HTTP, HTTPS)

12
 Basic CLI Commands
• Use the following commands to check the system status and list all or only non-
default attribute values for an interface.
• Use <command set> ? to list commands that you can use with it. For example,
get ? And list sub-commands under <command set> <command>. For
example, execute backup ?

What to investigate… CLI commands to Use…

What is the current status of FortiGate?
What are all the attribute values for the system
interface?
What are the non-default attribute values for
the system interface?
get system status
show full-configuration system interface <port>
show system interface <port>

13
 Create an Administrative User

System > Administrators

14
Administrator Profiles: Permissions
System > Admin Profiles

15
Administrator Profiles: Hierarchy

super_admin custom_profile1 prof_admin

Full global access Partial global access Full access in virtual domain

Partial access in VDOM

custom_profile2

16
Two-Factor Authentication

Password (one factor)

+
FortiToken (two factor)

17
Resetting a Lost Admin Password
User: maintainer
Password: bcpb<serial-number>
All letters in <serial-number> must be upper case, for example, FGT60.

• All FortiGate models and some other Fortinet device types

• Only after hard power cycle
o Soft cycle (reboot) does not work for security reasons.
• Only during first 60 seconds after boot (varies by model)
o Tip: Copy serial number into the terminal buffer, then paste.
• Only through hardware console port
o Requires physical access for security reasons.
o If compliance/risk of physical access requires, maintainer can be disabled.
config sys global
set admin-maintainer disable
end

18
 Administrative Access: Trusted Sources
System > Administrators

If admin1 attempts to log in to the FortiGate GUI from any

IP other than 10.0.1.10, they receive this message.

19
Administrative Access: Ports and Password
• Port numbers are customizable. System > Settings

• Using only secure access (SSH,

HTTPS) is recommended.
• Default Idle timeout is 5 minutes.

20
Administrative Access: Protocols
Network > Interfaces
• Enable acceptable management
protocols on each interface
independently:
o Separate IPv4 and IPv6
o IPv6 options hidden by default
• Also protocols where FortiGate is the
destination IP:
o FortiTelemetry
o CAPWAP
o FMG-Access
o FTM
o RADIUS Accounting

21
Features Hidden by Default
• By default, some features like System > Feature Visibility
IPv6 are hidden on the GUI.
o Hidden features are not disabled.
• In Feature Visibility, select to
hide/show groups of features
commonly used together.

22
Interface IPs
• In NAT mode, interfaces cannot be Network > Interfaces
used until they have an IP address:
o Manually assigned Note that the One-Arm Sniffer
is available only when editing
o Automatic an unreferenced interface
• DHCP
• PPPoE

• Exceptions: Dedicate to FortiSwitch

and the One-Arm Sniffer

23
Interface Role Compared to Alias
Network > Interfaces
• Role defines interface settings
typically grouped together.
o Avoids accidental misconfiguration
o Four types:
• WAN
• LAN
• DMZ
• Undefined (show all settings)
o Not in list of policies Alias Role

• Alias is a friendly descriptor for the

interface. Policy & Objects > IPv4 Policy
o Used in list of policies to label
interfaces by purpose

24
Static Gateway
• Must be at least one default
gateway
• If the interface is DHCP or
PPPoE, the gateway can be
added dynamically.
Network > Static Routes

25
Link Aggregation
• Bundles several physical ports
to form a single point-to-point
logical channel with greater
bandwidth.
o Increases redundancy for higher
availability

Network > Interfaces

26
Built-In Servers
Objectives
• Enable the DHCP service on FortiGate
• Enable the DNS service on FortiGate
• Understand the configuration possibilities and some of their implications
FortiGate as a DHCP Server
Network > Interfaces

28
DHCP Server: IP Reservation
• Reservations reassign the IP address Network > Interfaces
to the same host.
o To reserve, select IP address or choose
existing DHCP lease.
o Identify reservation as either:
• Regular (over Ethernet)
• Over IPSec

• FortiGate uses the host’s MAC

address to look up its IP address in
the reservation table.
• Actions if MAC is unknown

29
FortiGate as a DNS Server
• Resolves DNS lookups from the internal network
o Enabled per interface
o Not appropriate for Internet service because of load, and therefore should not be public facing.
• One DNS database can be shared by all FortiGate interfaces.
o Can be separate per VDOM
• Resolution methods:
o Forward: relay requests to the next server (in DNS settings).
o Non-recursive: use FortiGate DNS database only to try to resolve queries.
o Recursive: use FortiGate DNS database first; relay unresolvable queries to next server (in DNS
settings).

30
 DNS Forwarding
• Forwarding allows DNS control without the local FQDN database
• Sends query to the external DNS server Double-click the interface field or
select and click Edit.
Network > DNS Servers

To view DNS Servers in Network, you must make it

visible in System > Feature Visibility > DNS database.
31
DNS Database: Configuration
• Add DNS zones
o Each zone has its own domain name
o RFC 1034 and1035
• Add DNS entries to each zone
o Host name
o IP address it resolves to
o Types supported:
• IPv4 address (A) or IPv6 address (AAAA)
• Name server (NS)
• Canonical name (CNAME)
• Mail exchange (MX) server
• IPv4 (PTR) or IPv6 (PTR)

32
Fundamental Maintenance
Objectives
• Back up and restore system configuration files
• Understand the restore requirements for plain text and encrypted configuration files
• Identify the current firmware version
• Upgrade firmware
• Downgrade firmware
Configuration File: Backup and Restore
• Configuration can be saved to an external device
o Optional encryption
o Can back up automatically
• Upon logout
• Not available on all models

• To restore a previous configuration, upload file.

o Reboots FortiGate

34
Configuration File Format
Model Build
Plain text
number

Build
Firmware major version number

• Only non-default and important settings (smaller file size) Encrypted

• Header shows device model and firmware

o After the header, the encrypted file is not readable.
Model
• Restoring configuration
o Encrypted? Same device/model + build + password required. Firmware major version
o Unencrypted? Same model required.

35
Upgrade Firmware
• The current firmware version can be
viewed on the Dashboard or in
System > Firmware (or on the CLI:
get system status).
• If there is an updated firmware
version, you will be notified.
• Firmware can be updated by clicking
Upload Firmware or selecting the
upgrade option in the notification icon
drop-down list.
• Make sure you read the Release
Notes to verify the upgrade path and
other details.

36
Upgrade Firmware Process
1. Back up the configuration (full config backup on GUI or CLI).
2. Download a copy of the current firmware, in case reversion is needed.
3. Have physical access, or a terminal server connected to local console, in case
reversion is needed.
4. Read the Release Notes; they include the upgrade path and other useful
information.
5. Perform the upgrade.

37
Downgrade Firmware Process
1. Get the pre-upgrade configuration file.
2. Download a copy of the current firmware, in case reversion is needed.
3. Have physical access, or a terminal server connected to the local console, in
case reversion is needed.
4. Read the Release Notes. (Does downgrade preserve configuration?)
5. Downgrade the firmware.
6. If required, upload the configuration that matches the firmware version.

38
FortiGate Within the Security Fabric
Objectives
• Define the Fortinet security fabric
• Identify why the security fabric is required
• Identify the Fortinet devices that participate in the security fabric, especially the
essential ones
• Understand how to configure the security fabric at a high level
What is the Fortinet Security Fabric?
• An enterprise solution that enables a
holistic approach to network security,
whereby the network landscape is
visible through a single console and
all network devices are integrated into Management
Endpoint
a centrally managed and automated
defence.
• The security fabric has these SIEM Fortinet Security Fabric SDN

attributes:
o Broad
o Powerful Virtual Cloud
o Automated
• The API allows for third-party device
integration.

40
Why a Security Fabric?
• Many administrators lack visibility of
their network defences, making their
networks more susceptible to
undetected network infiltration.
• Network complexity and sophisticated
malware (soon to be augmented by
AI), necessitates a centralized and
holistic approach to security.

41
Devices That Comprise the Security Fabric

• Core – must have:

o Two or more FortiGate devices + FortiAnalyzer

• Recommended – adds significant visibility or

control:
Core o FortiManager, FortiAP, FortiSwitch, FortiClient, FortiSandbox,
FortiMail

Recommended
• Extended – integrates with fabric, but may not
Extended apply to everyone:
o Other Fortinet products and third-party products using the API

42
 How Do You Implement the Security Fabric?
Here is an example of a simple FortiAnalyzer
network using only the core There is a
security fabric components. FortiAnalyzer and
one next-generation
firewall (NGFW).
Accounting network This FortiGate will
10.10.10.0/24 be configured as
Accounting ISFW the root firewall. In
this example, the
alias for the firewall
Port 16
is External.
Port 10 External
Marketing ISFW
Port 11 Port 12

There are three internal

Marketing network segmentation firewalls
10.10.200.0/24 (ISFWs) that segregate
the WAN into logical
components and allow
your network to contain
Sales network Sales ISFW a threat, should a
10.10.35.0/24 breach occur.

43
 How Do You Implement the Security Fabric? (Cont’d)
Upstream FortiGate IP
Root FortiGate Branch FortiGate address
Security Fabric > Settings Security Fabric > Settings

Group name and password for

the security fabric

FortiAnalyzer IP Root FortiGate pushes its FortiAnalyzer

address configuration to all downstream FortiGate
devices

44
 Security Fabric Audit

Identifies
critical
security gaps

Some security issues,

The Security Score named Easy Apply, can be
helps you to identify the resolved immediately
security issues in your
network and to prioritize
your tasks

45
Review

✓ Identify key FortiGate features, services, and built-in servers

✓ Identify the differences between the two operating modes, and the
relationship between FortiGate and FortiGuard
✓ Identify the factory defaults, basic network settings, and console ports
✓ Execute basic administration, such as creating administrative users and
permissions
✓ Execute backup and restore tasks and discuss the requirements for
restoring an encrypted configuration file
✓ Initiate an upgrade and downgrade of the firmware
✓ Identify the characteristics of the Fortinet security fabric, FortiGate’s role
in it, and the high-level installation
FortiGate Security
Logging and Monitoring

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Log Basics

Local Logging

Remote Logging

Log Settings

View, Search, and Monitor Logs

Protecting Log Data

48
Log Basics
Objectives
• Describe the log workflow
• Identify log types and subtypes
• Describe log severity levels
• Describe the layout of a log message
• Describe the effect of logging on performance
Logging Workflow
1. Traffic passes through FortiGate to your network.
2. FortiGate scans the traffic and takes action based on configured firewall policies.
3. Activity is recorded and the information is contained in a log message.
4. Log message is stored in a log file and on a device capable of storing logs (local FortiGate
device or an external device, such as FortiAnalyzer).

2 Scans and takes action based on firewall policies

1 Traffic goes to FortiGate 4 Log file stored (external device optional)

FortiGate FortiAnalyzer

• Purpose of logs: 3 Activity recorded in log message

o Monitor network and Internet traffic volumes

o Diagnose problems NTP server recommended
o Establish normal baselines to recognize anomalies and trends

50
Log Types and Subtypes
• Traffic logs record traffic flow Traffic Event Security
information, such as an Forward Endpoint Control Application Control
HTTP/HTTPS request and its Local High Availability Antivirus
response (if any).
Sniffer System Data Leak Prevention (DLP)
• Event logs record system and User Anti-Spam
administrative events, such as
Router Web Filter
adding or modifying a setting, or
daemon activities. VPN Intrusion Prevention System (IPS)

• Security logs record security WAD Anomaly (DoS-policy)

events, such as virus attacks and Wireless Web Application Firewall (WAF)
intrusion attempts, based on the
security profile type (log type =
utm).
o If no security logs exist, the menu item WAN optimization logs are GPRS Tunneling Protocol (GTP)
does not appear in the GUI. found within traffic logs logs are handled separately from
default event logs

51
 Log Severity Levels
• Each log entry includes a log level (also known as priority level) that ranges in order
of importance
o 0 = high importance / 6 = low importance

Levels Description
0 – Emergency System unstable
1 – Alert Immediate action required
2 – Critical Functionality effected

Rarely used, unless actively
investigating an issue with
Fortinet Support
3 – Error Error exists that can affect functionality
4 – Warning Functionality could be affected
5 – Notification Information about normal events
6 – Information General system information
7 – Debug Diagnostic information for investigating issues

52
 Log Message Layout
• Log header (similar in all logs)
o Type and subtype = Name of log file o Level = Severity level

date=2016-06-14 time=12:05:28 logid=0316013056 type=utm subtype=webfilter

eventtype=ftgd_blk level=warning vd=root

• Log body (varies by log type)

o policyid = Firewall policy applied to session o srcip and dstip = Source and destination IP
o hostname = URL or IP of host o action = Action taken by FortiGate
o msg = Reason for the action
policyid=1 sessionid=10879 user="" srcip=10.0.1.10 srcport=60952 srcintf="port3"
dstip=52.84.14.233 dstport=80 dstintf="port1" proto=6 service="HTTP"
hostname="miniclip.com" profile="default" action=blocked reqtype=direct
url="/favicon.ico" sentbyte=297 rcvdbyte=0 direction=outgoing
msg="URL belongs to a denied category in policy" method=domain cat=20 catdesc="Games"
crscore=30 crlevel=high

53
Logging in a Security Fabric Design
• Requisite products: two or more FortiGates and a FortiAnalyzer (a remote logging
device)
• With FortiGate, you can enable different security features in different firewalls in the
fabric
o Ensures you do not have to scan and log the same traffic flow more than once when it passes
more than one firewall
• FortiGate can share network-related information
o Devices connected to downstream FortiGates will be visible on the upstream device as well (you
must enable device detection on the Interfaces page of the FortiGate GUI)
• Administrators can view logs and devices connected to the network by logging on
to the root FortiGate in the security fabric
o Information is securely shared using the FortiTelemetry protocol

54
Effect of Logging on Performance
• More logs = more CPU, memory, and disk space
• Depending on the amount of traffic you have, and the logging settings that are
enabled, your traffic logs can swell and impact the performance of your firewall
• Traffic logs record every session
o Extra information for troubleshooting
o Some UTM events Enable performance statistic
o More system intensive logging for remote logging
devices on FortiGate

# config system global

set sys-perf-log-interval <number from 0-15>
end

55
Best Practices – Log Management
• Always have a log management plan that addresses the following:
o What FortiGate activities do you want and need logged (for example, security features)?
o What logging device is best suited for your network structure?
o Do you want or require archiving of logs? FortiAnalyzer is recommended.
o What is your backup solution in the event a failure occurs?

• Implement a remote logging solution (for example, FortiAnalyzer) and ensure you
plan for future growth

• Revisit your plan and backup solution frequently!

• Configure alert messages for important activities

56
Local Logging
Objectives
• Identify local log storage options
• Enable local logging
• Understand disk allocation and reserved space
• Monitor disk usage
• Configure behavior when disk is full
 Log Storage – Local
• Constant rewrites can reduce
the lifetime and efficiency of
the memory
• Logging disabled by default
• Not recommended for logging, • FortiGate devices that
should use external logging have a hard drive store
device instead logs in an SQL database
• Data is extracted from the
SQL database for reports
Flash memory Hard drive

Local logging
Performance may be impacted
under heavy strain

58
Enabling Local Logging
• To store logs locally on FortiGate, you
must enable disk logging. Log & Report > Log Settings
• With disk logging enabled, the report
daemon collects statistics used for
historical FortiView from disk.
o If disk logging is disabled, FortiView logs
are only available in real-time.
• By default, logs older than seven days
are deleted from disk (configurable).
# config log disk setting
set maximum-log-age <integer>
# config log disk setting
set status enable

59
FortiGate Disk Allocation – Reserved Space
• The system reserves approximately 25% of its disk space for system usage and
unexpected quota overflow.
o Only ~75% of disk space is available to store logs

Use this command to

FGT_A (global) # diagnose sys logdisk usage obtain the amount of
Total HD usage: 208MB/118145MB reserved space on your
Total HD logging space: 88608MB FortiGate
HD logging space usage for vdom “root”: 0MB/9965MB
HD logging space usage for vdom “vdom1:” 0MB/104857MB

• Formulas:
o disk - logging = reserved (i.e. 118145MB – 88608MB = 29537MB reserved)
o reserved/disk*100 = reserved % (i.e. 29537/118145*100 = 25%)

60
Monitoring Disk Usage
Log & Report > Log Settings
• Local disk usage
o Free space
o Used space

• Historical disk usage

o Volume of disk logging activity over time

Use this command to see how

much space is currently being
used for logs

61
Behavior When Disk is Full
• By default, when the disk is full, the oldest logs are overwritten.
o Configurable—can set to stop logging when disk is full

• FortiGate issues warnings before disk reaches a full state:

o First warning: 75%
o Second warning: 90% Default settings (configurable)
o Final warning: 95%

# configure log disk setting

set diskfull [overwrite | nolog]
set full-first-warning-threshold <1-98>
set full-second-warning-threshold <2-99>
set full-final-warning-threshold <3-100>

62
Remote Logging
Objectives
• Identify external log storage options
• Configure remote logging
• Understand how remote logging works with VDOMs
• Understand log transmission
• Enable reliable logging
 Log Storage - Remote
• Hosted subscription-based service • Long term, dedicated
• Long-term log storage and reporting storage of log data
• Bound to Fortinet Support account • Reports
• FortiGate includes a free tier • Log limit dependent on
(See documentation for quotas) model

FortiSIEM

• Unified event correlation and

risk management
FortiCloud FortiAnalyzer
• Collect, parse, normalize,
Syslog index, and store security logs
FortiManager
• Like FortiAnalyzer, can also store
logs and generate reports, but
has fixed amount per day that is
• Logging server less than equivalent size
FortiAnalyzer
• Central repository for networked
devices • Primary purpose: central
• Consolidates logs Remote logging administrative management of
networked devices
64
 FortiAnalyzer and FortiManager Log Storage
• FortiGate can send logs to both FortiAnalyzer and
Log & Report > Log Settings
FortiManager (FortiGate must be a registered device)

FortiGate
Register
FortiAnalyzer/FortiManager

• Can configure up to three separate FortiAnalyzer # config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting

and FortiManager devices using the CLI set status enable
set server <server_IP>
o Multiple devices may be needed for redundancy end
o Generating and sending logs requires resources—
be aware! Commands not cumulative

65
Upload Option
• Near real-time uploading and consistent high-speed compression and analysis
• Configure logging options: Log & Report > Log Settings
o store-and-upload (CLI configuration only)
o Real Time
o Every Minute
o Every 5 Minutes (default)

# configure log fortianalyzer setting

set upload-option [store-and-upload |realtime/1-minute/5-minute]

store-and-upload only available to

FortiGates with an internal hard drive

• By default, if the FortiAnalyzer disk is full, the oldest logs are overwritten. However,
you can configure FortiAnalyzer to stop logging.

66
 FortiAnalyzer Temporarily Unavailable to FortiGate?
• The FortiGate miglogd process caches logs on FortiGate when FortiAnalyzer is not reachable.
• When maximum cached value is reached, miglogd will drop cached logs (oldest first).
• When FortiAnalyzer connection is back, miglogd will send the cached logs.
o FortiGate buffer will keep logs long enough to sustain a reboot of FortiAnalyzer, but is not intended for lengthy outages.

Maximum cache size and current

cache size

If there are bursts or link is

overloaded, failed increases

If queue is full, failed-log

value increases

67
 FortiCloud, Syslog, and FortiSIEM Log Storage
FortiCloud Syslog and FortiSIEM
• Must activate FortiCloud account (dashboard) Log & Report > Log Settings

Log & Report > Log Settings Enable and add IP/FQDN of
syslog or FortiSIEM server

# config log [syslogd | syslogd2 | syslogd3 | syslogd4] setting

Activate FortiCloud set status enable
account first set server <syslog_IP>
end Can configure up to four
remote syslog service or
FortiSIEMs using the CLI
# config log fortiguard setting
set status enable • FortiGate logs can be sent to syslog servers in CSV
set source-ip <src IP used to connect FortiCloud) or CEF format
set upload-option <realtime | 1-minute | 5-minute>
# config log syslogd3 setting
set enc-algorithm <high-medium | high | low |disable>
set format [csv | cef]
end
Encryption algorithm end
setting not available to
configure in the GUI

68
 VDOMs and Remote Logging
• If you have a FortiGate with Virtual Domains (VDOMs) # config system global
configured, you can globally add multiple FortiAnalyzers config log fortianalyzer
setting
and syslog servers. set status enable
o On each VDOM, you can override these global settings, set server 10.0.1.1
which allows you to configure only one FortiAnalyzer and end
one syslog server for that VDOM. config log fortianalyzer2
setting
o The management VDOM is responsible for sending logs to set status enable
FortiAnalyzer, if you use the override-setting in a set server 10.0.2.1
VDOM, that VDOM is now responsible for sending its own end
logs to the new FortiAnalyzer.

# config vdom
# config vdom Training
edit Training
edit Training VDOM config log fortianalyzer override-setting
config log fortianalyzer override-setting set override enable
set override enable set status enable
set status enable Root set server 192.168.1.3
set server 10.0.1.210 VDOM end

FortiGate
69
Log Transmission
• FortiGate uses UDP 514 (or TCP 514 if reliable logging is enabled) for log
transmission.

Controls reliable logging

and encryption algorithm

• Log messages are stored on disk and transmitted to FortiAnalyzer as plain text in
LZ4 compressed format.
o Reduces disk log size and reduces log transmission time and bandwidth usage

70
Reliable Logging
• Changes the log transport delivery method from UDP to TCP
• TCP provides reliable data transfer
o Guarantees the data transferred remains intact and arrives in the same order in which it was sent
o Error checking and error recovery
o Acknowledgement segments to ensure packet is received
o Connection-oriented protocol (SYN, SYN-ACK, ACK handshake)
• If you enable logging to FortiAnalyzer using the GUI, reliable logging is auto-
enabled.
o If you enable logging to FortiAnalyzer using the CLI, reliable logging is not auto-enabled. You must
manually enable using the CLI command:

# config log fortianalyzer setting # config log syslogd setting

set reliable [enable/disable] set reliable [enable/disable]

When enabled on
• FortiCloud uses TCP, and you can set the encryption algorithm syslog, the default port
using the CLI (default setting is high). becomes port 601

71
OFTPS
• If using reliable logging, you can encrypt communications using SSL-secured OFTP
(OFTPS).
# config log fortianalyzer setting
set status enable
set enc-algorithm [high-medium | high | low | disable ]
set reliable enable
end

Reliable logging
must be enabled to
use OFTPs

72
Log Settings
Objectives
• Configure log settings
• Enable logging on firewall policies
• Hide user names in logs
 Logging Preparedness Checklist
Do you want….? Do this…
Do you want to store logs locally on FortiGate? Enable disk logging.
(Log & Report > Log Settings)
Decides if,
Do you want to be able to view historical FortiView Enable historical FortiView.
where, and how (not just real-time)? (Log & Report > Log Settings)
a log is stored Do you want to enable remote logging to FortiAnalyzer, Configure remote logging.
FortiManager, FortiCloud, FortiSIEM, or syslog? (Log & Report > Log Settings)
• Upload time?
• Encrypted log transmission?
• Reliable logging?
# config log fortianalyzer setting
set reliable [enable | disable]
set enc-algorithm [high-medium | high |
low | disable ]

Decides whether Do you want to log allowed traffic on your firewall Configure Log Allowed Traffic setting on your firewall
logs are policy? Security events or all sessions? policy.
generated based (Policy & Objects > IPv4 Policy)
on your firewall Do you want to capture logs from traffic sent through Enable one or more security profiles on your firewall policy.
policies your security profiles? (Policy & Objects > IPv4 Policy)

74
 Logging Settings: If, Where, and How
Log & Report > Log Settings

Store logs locally

or remotely?

• Log event logs and traffic logs?

• Local traffic logs = traffic directly to and from
FortiGate (disabled by default)
• Event logs = system information generated
by the FortiGate device

• Display logs from memory, disk, or FortiAnalyzer?

• Translate IPs to host names for convenience?
(Can impact CPU usage and page
responsiveness.)

75
Log Filtering
• Can configure log filter settings to determine which logs are recorded
o Configure up to four remote syslog or FortiSIEM logging servers:

# config log [syslogd | syslogd2 | syslogd3 | syslogd4] filter

o Configure up to three FortiAnalyzer devices:

# config log [fortianalyzer | fortianalyzer2 | fortianalyzer3] filter

• Filters include:
o Severity <level>
o Forward traffic [enable/disable]
o Local traffic [enable/disable]
o Multicast traffic [enable/disable]
o Sniffer traffic [enable/disable]
o Anomaly [enable/disable]
o VOIP [enable/disable]
o DLP archive [enable/disable]
o DNS [enable/disable]
o Filter [string]
o Filter type [include | exclude]

76
 Enabling Logging on Firewall Policies
• Firewall policy settings decide if a log message caused by traffic passing through a
firewall policy is generated or not

Policy & Objects > IPv4 Policy

• Hardware acceleration affects
logging
o Traffic offloaded to NP
processors does not log traffic
Must enable one or more statistics.
security profiles on your • Can disable hardware acceleration
• Can enable NP packet logging
firewall policy to generate a (degrades NP performance)
log message for that profile

Must enable and set which traffic to log. If disabled, you will
not receive logs of any kind—even if you have enabled a
security profile on your firewall policy.

77
Testing Log Settings

Test if logs are generating

78
 Hiding User Names in Logs
• Some laws require that usernames be anonymized.
• Use the following command to hide usernames in traffic and UTM logs, so that the
username appears as “anonymous”.

# config log setting

set user-anonymize enable
end

date=2017-11-26 time=14:45:16 logid=0317013312 type=utm subtype=webfilter

eventtype=ftgd_allow level=notice vd="root" policyid=2 identidx=1
sessionid=31232959 user="anonymous" group="ldap_users" srcip=192.168.1.24
srcport=63355 srcintf="port2" dstip=66.171.121.44 dstport=80 dstintf="port1"
service="http" hostname="www.fortinet.com" profiletype="Webfilter_Profile"
profile="default" status="passthrough" reqtype="direct" url="/" sentbyte=304
rcvdbyte=60135 msg="URL belongs to an allowed category in policy" method=domain
class=0 cat=140 catdesc="custom1"

79
View, Search, and Monitor Logs
Objectives
• View and search for log messages on the GUI
• View and search for log messages on the CLI
• View logs through FortiView
• Configure alert email
• Configure threat weight
Viewing Log Messages: GUI
Log & Report Set log filters to narrow search Log location = disk

GUI menu items depend on

incoming logs. Select the log Double-click log to
type you want to search. view log details

81
Searching for Logs: Filters
• Add log filters to search for specific logs
Click Add Filter and available filter options
appear in the drop-down list
• If the filter you want to add is not
showing as a value on the GUI,
but does appear in the log itself,
add the table column on the GUI
Right-click any table column to add
a new column to the table
• Use quick filter options to search
data already in the log table
Right-click the column of a
specific log for quick filter options
82
 Viewing Logs Associated with a Firewall Policy
• Access log messages generated by individual policies

Policy & Objects > IPv4 Policy

83
 Viewing Log Message: CLI
Configures what log messages you will see, how many log messages you can
# execute log filter view at one time (a maximum of 1000 lines of log messages), and the type of
log messages you can view.

# execute log display Allows you to see specific log messages that you already configured within
the execute log filter command.

84
Viewing Log Messages: FortiView
• FortiView integrates real-time and historical data into single, summary views.

Save as dashboard
widget
Set filters

Table view

Bubble chart view

85
Configuring Alert Email
• Send notification to email upon Log & Report > Email Alert Settings
detection of event
• While there is a default mail server Configure up to
preconfigured, it is recommended to three recipients
configure your own SMTP server first.
Send alert by event
System > Advanced or severity
Set how often to
send alert

If the alert parameter is set to

Events, select the events to
generate an alert

86
Configuring Threat Weight
• Prioritize solving the most relevant Log & Report > Threat Weight
issues by configuring severity levels
for IPS signatures, web categories,
and applications with a threat weight
• Set risk level values for low, medium,
high, and critical

• View detected threats from FortiView

> Threats

87
Protecting Log Data
Objectives
• Perform log backups
• Configure log rolling and uploading
• Perform log downloads
Backing Up Logs
• Export all logs to FTP, TFTP, or USB (stored as LZ4 compressed files):

# execute backup disk alllogs [ftp | tftp | usb]

• Export specific log type to FTP, TFTP, or USB (stored as LZ4 compressed files)

# execute backup disk log [ftp | tftp | usb] <log_type>

These backups cannot be

restored to another FortiGate

Appears as option in GUI

when you insert a USB drive
into FortiGate’s USB port

89
 Log Rolling and Uploading
Log rolling # config log disk setting
• Similar to zipping a file, rolling lowers space set max-log-file-size <1-100>
requirements needed to contain them set roll-schedule [daily | weekly]
set roll-day <day of week>
• Can configure max log file size to roll (default 20
MB) set roll-time [hh:mm]

• Can configure roll schedule and time # config log disk setting
Log uploading set upload [enable | disable]
• Can configure rolled log files to upload to an FTP set upload-destination [FTP]
server set uploadip [IPv4 IP]
set uploadport [integer]
• Can specify which types of log files to upload
set source-ip [source IPv4 IP]
• Can configure an upload schedule and time set uploaduser [FTP user]
(command not shown—similar to log rolling example)
set uploadpass [FTP user password]
• Can delete log files after uploading (enabled by set uploaddir [remote FTP dir]
default) set uploadtype [log type]
• Can configure encrypted FTPS communication set upload-delete-files [enable* | disable}
set upload-ssl-conn

90
Log Downloading
• Download logs to ensure you have a copy when they are eventually overwritten on
FortiGate
• Can download logs on the GUI
o Based on current view, including any log filters set

• Downloaded in raw format

91
Review
✓ Understand log basics (log workflow,
log types and subtypes, log severity
levels, and log message layout)
✓ Describe the effect of logging on
performance
✓ Identify local log storage options
✓ Configure local logging
✓ Understand disk allocation and
reserved space, monitor disk usage,
and configure behavior when disk is full
✓ Identify external log storage options
✓ Configure remote logging
✓ Understand log transmission and how
to enable reliable logging and OFTPS
✓ Configure logging settings
✓ Understand miglogd
✓ View and search for log messages on
the GUI and CLI
✓ View logs on FortiView
✓ Configure alert email and threat weight
✓ Configure log backups, rolling,
uploading, downloading
FortiGate Security
Firewall Policies

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Firewall Policies

Configuring Firewall Policies

Managing Firewall Policies

Best Practices and Troubleshooting

94
Firewall Policies
Objectives
• Identify components of firewall policies
• Identify how FortiGate matches traffic to firewall policies
What Are Firewall Policies?
• Policies define:
o Which traffic matches them
o How to process traffic that matches
• When a new IP session packet arrives, FortiGate:
o Starts at the top of the list to look for a policy match
o Applies the first matching policy
• Implicit Deny Policy & Objects > IPv4 Policy
o No matching policy?
FortiGate drops packet

Implicit Deny

96
Components and Policy Types
Objects used by policies
• Interface and interface groups
• Address, user, device, and Internet service objects
• Service definitions
• Schedules
• NAT rules
• Security profiles
Policy types
• IPv4, IPv6
• Virtual wire pair (IPv4, IPv6)
• Proxy
• Multicast
• Local In Policy
(Origin and destination is FortiGate itself)
• DoS (IPv4, IPv6)
• Traffic shaping

97
How Are Policy Matches Determined?
Incoming and outgoing interfaces Policy & Objects > IPv4 Policy
Source: IP address, user, device

Destination: IP address or Internet Services

Services
Schedules

Action = ACCEPT or DENY

Authentication Logging
Security Profile

98
Simplify–Interfaces and Zones
• Incoming Interface and Outgoing Interface can be interface(s) or a zone
o Zone: Logical group of interfaces

• To match policies with traffic, select one (or more) interfaces or any interface

Network > Interfaces

Incoming Outgoing

Zone

99
 Selecting Multiple Interfaces or Any Interface
• Disabled by default
o Cannot select multiple interfaces or any interface in firewall policy from the GUI
• Can be made visible in the GUI
System > Feature Visibility

Policy & Objects > IPv4 Policy

Multiple interface
Policy & Objects > IPv4 Policy policies enabled

Multiple interface
policies disabled

100
Matching by Source
• Must specify at least one source (address) Policy & Objects > IPv4 Policy
• May specify either, neither, or both: Mandatory source
o Source User address field
o Source Device

Optional
• Source Address
o IP address or range
o Subnet (IP/Netmask)
o FQDN
o Geography

• Source User–Individual user or user group. This may refer to:

Warning for
o Local firewall accounts unresolved FQDN
o Accounts on a remote server (for example, Active Directory, LDAP, RADIUS)
o FSSO
o Personal certificate (PKI-authenticated) users

• Source Device–Identified or manually defined client device

o Enables device identification on the source interface

101
Source–User Identification
• Confirms identity of user
• Access to network is provided after confirming user credentials

3
1 Verify username and password

2 Username and password Verified 4

Local user Authentication
Server

2 Username and password

Remote user

102
Device Identification–Agentless vs. Agent
Agentless Agent (FortiClient)
• Requires direct connectivity to FortiGate • Location and infrastructure independent

• Detection methods:
FC
o HTTP user agent FortiClient
o TCP fingerprinting FC
o MAC address vendor codes
o DHCP
o Microsoft Windows browser service (MWBS)
FortiClient
o SIP user agent
o Link Layer Discovery Protocol (LLDP)
o Simple Service Discovery Protocol (SSDP)
o QUIC Agentless Trusted network
o FortiOS-VM detection
• FortiOS-VM vendor ID in IKE messages
• FortiOS-VM vendor ID in FortiGuard web filter and
spam filter requests .

103
 Device Identification
• Source Device type enables Device Detection on the source interface(s) of that
policy
Network > Interfaces
Policy & Objects > IPv4 Policy

Can enable
Active Scanning

104
Endpoint Control
• FortiGate can control FortiClient settings through FortiClient profiles and registration
• Enable FortiTelemetry on FortiGate interface(s) for registration Registered
FortiClient
Network > Interfaces

Mandatory to allow
FortiClient for registration

Optional settings FortiClient UID

105
 Device Identification: Device List (GUI and CLI)
• Detected devices are saved in the FortiGate flash drive for 28 days
o A device expires and is removed from the Device Inventory list if no traffic is seen for that device
o Can change the duration on the CLI
config system settings
set discovered-device-timeout <days>
end

Local-FortiGate # diagnose user device list

User & Device > Device Inventory Hosts
vd root/0 00:0c:29:e0:c1:87 ...
created 575s gen 82 seen 1s port3 gen 68
ip 10.0.1.10 src http
type 17 'Windows PC' src http ...

vd root/0 00:0c:29:64:ca:2c ...

created 311s gen 91 seen 52s port3 gen 70
ip 10.0.1.39 src arp
Detected devices type 17 'Windows PC' src forticlient ...
os 'Windows'version 'Server‘ src forticlient
Detection method endpoint 2 'EBE211861C2E4628946B2BDD1DEAED32'

106
Example–Matching Policy by Source
• Matches by source address, user, and device type

Policy & Objects > IPv4 Policy

Address

User

Device

107
Matching by Destination
Like source, destination criteria can use:
• Address objects:
o Subnet (IP or netmask)
o IP address or address range
o FQDN
• DNS query used to resolve FQDN
o Geography
• Country defines addresses by ISP’s geographical location
• Database updated periodically through FortiGuard

• Internet service database (ISDB) objects

108
Internet Services
• Database that contains IP addresses, IP Policy & Objects > Internet Service Database
protocols, and port numbers used by the most
common Internet services
o Regularly updated through FortiGuard

Policy & Objects > IPv4 Policy

• Can be used as Destination in the firewall
policy
• If Internet Service is selected as
Destination:
o You cannot use Address in the Destination
o You cannot select Service in the firewall policy

109
 Scheduling
• Policies apply only during specific times and days
o Example: A less restrictive lunch time policy
o Default schedule applies all the time

• Recurring • One-time
o Happens every time during specified day(s) o Happens only once
of the week
Policy & Objects > Schedules Policy & Objects > Schedules

110
Matching by Service
• Service determines matching transmission protocol (UDP, TCP, and so on) and port number
• Can be predefined or custom
• ALL matches all ports and protocols

Packet Firewall Policy

Protocol and Port = Protocol and Port

Policy & Objects > Services

111
Configuring Firewall Policies
Objectives
• Restrict access and make your network more secure using security profiles
• Configure logging
• Configure learning mode to evaluate and analyze traffic
 Configuring Firewall Policies
• Mandatory policy name when creating on GUI System > Feature Visibility

o Can relax the requirement by enabling Allow Unnamed Policies

• Flat GUI view allows: Enabled by default

o Select by clicking MUST specify unique name Highlights selected entry
o Drag-and-drop

config firewall policy

edit 1
set name “Training"
set uuid 2204966e-47f7-51..

Universally Unique Identified (UUID)

113
Security Profiles
• Firewall policies limit access to configured networks
• Security profiles configured in firewall policies protect your network by:
o Blocking threats
o Controlling access to certain applications and URLs
o Preventing specific data from leaving your network

Policy & Objects > IPv4 Policy

114
Logging
• By default, set to Security Events
o Generates logs based on applied security profile only
• Can change to All Sessions

Accept Deny

config system setting

set ses-denied-traffic <disable | enable>
end
config system global
set block-session-timer <1-300>
end

115
Learning Mode
• Allows everything through firewall policy but with fully enabled logging capabilities
o Enables hidden security profiles
• Action set to monitor Policy & Objects > IPv4 Policy
• Users unable to view or edit them
o Enables Device Detection on the source interface(s) of policy

• All logs generated from these policies will

be tagged as Learn

• Provides cyber threat assessment report

o Log & Reports > Learning Reports
• Uses all learning logs and security vectors

116
Traffic Shapers
• Rate limiting is configurable
o In bandwidth and out bandwidth
o Defines maximum and guaranteed bandwidth

Policies & Objects > Traffic Shaping Policy

Shared Traffic Shaper Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Guaranteed Bandwidth Maximum Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

117
Managing Firewall Policies
Objectives
• Identify policy list views
• Understand the use of policy IDs and sequence numbers
• Identify where an object is referenced
Policy List–Interface Pair View and By Sequence
• Interface Pair View Can view By Sequence also
o Lists policies by ingress and egress interfaces
Policy & Objects > IPv4 Policy

Interface policy pairs

• By Sequence (only)
o If policies are created using multiple source and destination interfaces or any interface

Policy & Objects > IPv4 Policy

Multiple interface

any interface

119
Policy ID
• On the GUI, firewall policies are primarily ordered by Seq. #
• Policy IDs are identifiers config firewall policy
o CLI commands use policy ID instead of sequence number edit <policy_id>
end
o Policy ID is assigned by the system when the rule is created
o The ID number never changes as rules move higher or lower in the sequence
Policy
Policy ID
ID

Policy & Objects > IPv4 Policy

config firewall policy

edit 4
set name "Unrestricted"
...
next
edit 5
set name "Block_FTP"

120
Simplify–Groups of Sources or Services
• You can reference address and service objects individually, or use groups to
simplify policy configuration

121
Object Usage
• Allows for faster changes to settings
• Reference column shows if the object is being used
o Links directly to the referencing object
Policy & Objects > Addresses

Number of times object used

Referenced by policy ID

122
Firewall Policy–Fine Tuning
• Right-click menu contains various options to add and modify policies
Policy & Objects > IPv4 Policy

123
Best Practices and Troubleshooting
Objectives
• Identify naming restrictions for firewall policies and objects
• Reorder firewall policies for correct matching
• Demonstrate how to find matching policies for traffic type
Naming Rules and Restrictions
• Most firewall object name fields accept up to 35 characters
• Supported characters in a firewall object name:
o Numbers: 0 to 9
o Letters: A to Z (uppercase and lower case)
o Special characters: hyphen - and underscore _
o Spaces
• Avoid using spaces in general Policy & Objects > Addresses

• Some special characters are supported in passwords, comments, replacement

messages, and so on.
o <>() # “” ‘’

125
Best Practices
• Test policies in a maintenance window before deploying in production
o Test policy for few IP addresses, users, devices, and so on
• Be careful when editing, disabling, or deleting firewall policies and objects
o Changes are saved and activated immediately
o Resets active sessions
• Create firewall policies to match as specifically as possible
o Example: Restrict firewall policies based on source, destination, service
o Use proper subnetting for address objects
• Analyze and enable appropriate settings on a per-policy basis
o Security profiles
o Logging settings

126
Adjusting Policy Order
• On the GUI, drag-and-drop Seq. #
Seq number changed
Before policy move After policy move

ID remains same
config firewall policy config firewall policy
edit 4 edit 5
set name "Unrestricted" set name "Block_FTP"
... ...
next next
edit 5 edit 4
set name "Block_FTP" set name "Unrestricted"

127
Combining Firewall Policies
• Check the settings before combining firewall policies
o Source and destination interfaces
o Source and destination addresses
o Services
o Schedules
o Security profiles
o Logging Make decisions for logging settings
Can combine Seq.# 1 and 2
o NAT rules policies by combining services when combining Seq.# 1 and 2 policies

Policy & Objects > IPv4 Policy

128
Policy Lookup (GUI)
• Identify matching policy without real traffic
o Does not generate any packets
• Searches matching policy based on input criteria
o Source interface
o Protocol
• Requires more granular input criteria
o Source IP address
o Destination IP/FQDN
• Policy lookup checks
o Reverse path forward (RPF)
o Destination NAT, if matching virtual IP
o Route lookup, to resolve destination interface

129
Policy Lookup Example (GUI)
• Highlights matching policy after search
Policy & Objects > IPv4 Policy

130
Review

✓ Recognize how packets match a firewall policy based on:

✓ Interfaces and zones
✓ Source and destination
✓ Network services
✓ Schedules

✓ Configure firewall policies

✓ Understand how policy IDs and sequence numbers are used
✓ Identify object usage
✓ Reorder policies to match more granular policies first
✓ Use policy lookup to find matching policies
FortiGate Security
Network Address Translation (NAT)

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Introduction to NAT

Firewall Policy NAT

Central NAT

Session Helpers

Sessions

Best Practices and Troubleshooting

133
Introduction to NAT
Objectives
• Understand NAT and port address translation (PAT)
• Understand the different configuration modes available for NAT
NAT and PAT
• NAT
o Changes the IP layer address of a packet
• Some protocols, like SIP, have addresses
at the application layer, requiring session helpers or proxies
o Source NAT (SNAT)
o Destination NAT (DNAT)
• PAT Destination IP address
Destination port
o Changes the IP layer port number of a packet

• NAT64 and NAT46

o A mechanism that allows IPv6 addressed hosts to
communicate with IPv4 addressed hosts and the reverse
Source IP address
• NAT66 Source port

o NAT between two IPv6 networks

.

135
Configuration Modes for NAT
• There are two ways to configure SNAT and DNAT:
• Firewall policy NAT
o SNAT and DNAT must be configured for each firewall policy.
• SNAT uses the outgoing interface address or configured IP pool.
• DNAT uses the configured VIP as the destination address.

• Central NAT
o SNAT and DNAT configurations are done per virtual domain.
o It applies to multiple firewall policies, based on SNAT and DNAT rules.
• SNAT rule is configured from central SNAT policy.
• DNAT is configured from DNAT and VIPs.

136
Firewall Policy NAT
Objectives
• Configure a firewall policy to perform SNAT and DNAT (VIP)
• Apply SNAT with IP pools
• Configure DNAT with VIPs or a virtual server
Firewall Policy SNAT
• There two ways to configure firewall policy SNAT:
o Using the outgoing interface address
o Using the dynamic IP pool Policy & Objects > IPv4 Policy

138
 Firewall Policy SNAT Using the Outgoing Interface
192.168.10.10

Firewall policy
with NAT enabled
wan1 IP address: 100.64.100.10

Source IP address: Source IP address:

10.10.10.10 100.64.100.10
Source port: 1025 Source port: 30912

Destination IP address: wan1 Destination IP address:

192.168.10.10 100.64.100.10 192.168.10.10
Destination Port: 80 Destination Port: 80
internal

10.10.10.10

139
IP Pools
• IP pools defines a single IP address or a range of IP addresses to be used as the
source address for the duration of the session.
• IP pools are usually configured in the same range as the interface IP address.
• There are four types of IP pools: Policy & Objects > IPv4 Policy
o Overload
o One-to-one
o Fixed port range
o Port block allocation
Policy & Objects > IP Pools

140
 IP Pool Type: Overload
Firewall policy 192.168.10.10
with NAT + IP pool enabled
wan1 IP pool: 100.64.100.2-100.64.100.5

Source IP address:
10.10.10.10 Source IP address:
Source port: 1025 100.64.100.?
Source port: 30957
Destination IP address: wan1
192.168.10.10 100.64.100.10 Destination IP address:
Destination port: 80 192.168.10.10
internal
Destination port: 80

10.10.10.10

141
IP Pool Type: One-to-One
• The default IP pool type is overload.
• The IP pool type one-to-one associates an internal IP with a pool IP on a first-come,
first-served basis.
o PAT is disabled.
STUDENT # get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 3598 10.0.1.10:2706 10.200.1.6:2706 10.200.1.254:80 -
tcp 3598 10.0.1.10:2704 10.200.1.6:2704 10.200.1.254:80 -
tcp 3596 10.0.1.10:2702 10.200.1.6:2702 10.200.1.254:80 -
tcp 3599 10.0.1.10:2700 10.200.1.6:2700 10.200.1.254:443 -
tcp 3599 10.0.1.10:2698 10.200.1.6:2698 10.200.1.254:80 -
tcp 3598 10.0.1.10:2696 10.200.1.6:2696 10.200.1.254:443 -
udp 174 10.0.1.10:2694 - 10.0.1.254:53 -
udp 173 10.0.1.10:2690 - 10.0.1.254:53 -

• Refuses the connection if there is no unallocated address

142
 IP Pool Type: Fixed Port Range
• The fixed port range IP pool type associates an internal IP range with an external IP
range.
o Port address translation is disabled.
STUDENT # get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 3574 10.0.1.11:60843 10.200.1.8:60843 216.23.154.83:80 -
tcp 3570 10.0.1.11:60809 10.200.1.8:60809 216.23.154.81:80 -
tcp 3590 10.0.1.11:60819 10.200.1.8:60819 216.23.154.74:80 -
tcp 3599 10.0.1.11:60817 10.200.1.8:60817 216.23.154.74:80 -
tcp 3586 10.0.1.11:60815 10.200.1.8:60815 216.23.154.81:80 -
tcp 3564 10.0.1.11:60807 10.200.1.8:60807 216.23.154.74:80 -
tcp 9 10.0.1.10:7112 10.200.1.7:7112 10.200.1.254:80 -
tcp 7 10.0.1.10:7110 10.200.1.7:7110 10.200.1.254:80 -
tcp 5 10.0.1.10:7108 10.200.1.7:7108 10.200.1.254:80 -
tcp 3 10.0.1.10:7106 10.200.1.7:7106 10.200.1.254:80 -
tcp 1 10.0.1.10:7104 10.200.1.7:7104 10.200.1.254:80 -

143
IP Pool Type: Port Block Allocation
• The port block allocation IP pool type assigns a block size and number per host for
a range of external IP addresses.
o Using a small 64-block size and 1 block
hping --faster –p 80 –S 10.200.1.254
STUDENT # diagnose sys session stat
misc info: session_count=79 setup_rate=0 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/65536 removeable=0
delete=0, flush=0, dev_down=0/0 ses_flush_filters=0
TCP sessions:
2 in ESTABLISHED state
74 in SYN_SENT state
1 in CLOSE_WAIT state

o Using an overload type

hping --faster –p 80 –S 10.200.1.254

STUDENT # diagnose sys session stat

misc info: session_count=10227 setup_rate=982 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/65536 removeable=0
delete=0, flush=0, dev_down=0/0 ses_flush_filters=0
TCP sessions:
34 in ESTABLISHED state
10117 in SYN_SENT state
1 in SYN_RECV state

144
Virtual IPs (VIPs)
• DNAT objects
• Default type is static NAT
o Can be restricted to forward only certain ports
• From the CLI, you can select load-balance or server-load-balance.
• VIPs should be routable to the external facing (ingress) interface for return traffic.
Policy & Objects > Virtual IPs
Policy & Objects > IPv4 Policy

VIP used as
destination in firewall
policy

145
 VIP Example
Firewall policy 192.168.10.10
with destination address virtual IP + Static NAT
wan1 IP address: 100.64.100.10

wan1
Source IP address:
192.168.10.10
10.10.10.10
internal Destination IP address:
100.64.100.22
Destination port: 80

VIP translates destination

100.64.100.22 -> 10.10.10.10

146
Matching Policies – VIP
• Default behaviour: firewall address objects do not match VIPs.
o Doesn’t block an egress-to-ingress connection, even when the deny policy is at the top of the list.
• VIP policy (WAN to LAN)
Action = Deny

Can still access the VIP from the

policy below, even though the deny
policy is at the top of the list.
• Two ways to resolve it by modifying the deny policy:
o Enable match-vip in deny policy o Set the destination address as VIP object
config firewall policy config firewall policy
edit <policy ID for deny> edit <policy ID for deny>
set match-vip enable set dstaddr “VIP object”
end end

147
Central NAT
Objectives
• Configure central NAT
Central NAT
• Enabled or disabled on the CLI only
Source NAT
config system
config system settings
settings
set central-nat
set central-nat{enable|disable}
{enable|disable}
end
end
o Must remove VIP and IP pool references from existing policies

config system settings

set central-nat enable
Cannot enable central-nat with firewall policy using vip (id=2).

• Once enabled, these two options are available on the GUI:

o Central SNAT
o DNAT & Virtual IPs

Destination NAT

• Central SNAT is mandatory for new NGFW mode in policy-based in FortiOS 5.6

149
Central SNAT
• SNAT configuration changes when central NAT is enabled.

Central NAT Enabled Steps to Configure

SNAT 1. Define IP pool or use outgoing interface address.
2. Configure central SNAT policy.
3. Enable NAT on firewall policy.

• If no matching central SNAT rule exists, FortiGate uses the default destination interface
address.
o Processed from top to bottom
• Matching criteria is based on:
o Source interface Policy & Objects > Central SNAT
o Destination interface
o Source address
o Destination address
o Protocol
o Source port
• Most protocols don’t need this

150
 Central SNAT Example
Source IP: 100.64.100.5
Central SNAT Policy Source port: 12543
Source Interface internal Firewall Policy NAT: enabled
Destination IP: 192.168.10.10
Destination Interface wan1 Destination port: 80
Source all
Destination 192.168.10.10
IP Pool (translated address) 100.64.100.5
Protocol TCP (6) 192.168.10.10

wan1
Source Interface: internal internal 100.64.100.10
Destination Interface: wan1
Source IP: 10.10.10.1
Source port: 1050 192.168.10.20
Destination IP: 192.168.10.10
Destination port: 80 Source IP :100.64.100.10
Source port: 2456
Destination IP: 192.168.10.20
Destination port: 80 Destination IP: 192.168.10.20
Destination port: 80
151
Central DNAT and VIPs
• Enabling central NAT changes the DNAT configuration.

Central NAT Enabled Steps to Configure

Destination NAT (VIP) Define DNAT & Virtual IPs (No additional configurations required)

• As soon as a VIP is created, a rule is created in the kernel to allow DNAT to occur.
o Firewall policy destination address—all or mapped IP of VIP
• VIP cannot be selected in the firewall policy as the destination address

152
 DNAT and VIPs Example
DNAT & Virtual IPs 192.168.10.10
Firewall policy destination address
External 100.64.100.22
– all or mapped IP of VIP
IP/Address
Range
Mapped IP 10.10.10.10
Address/
Range
Source IP address:
192.168.10.10

Wan1 Destination IP address:

100.64.100.10
VIP translates destination 100.64.100.22
100.64.100.22 > 10.10.10.10 Destination port: 80
Internal

10.10.10.10

153
Session Helpers
Objectives
• Understand how session helpers work
• Use a SIP session helper for VoIP
Session Helpers
• Some traffic types require more packet modification for the application to work
(configurable on the CLI). Examples include:
o The handling of FTP active mode connections—the control connection is separate from the data
connection
o Header rewrites in SIP SDP payloads required because of NAT actions
• To show configured session helpers, use this command:
show system session-helper

• Application layer gateway (ALG)

o When more advanced application tracking and control is required, an application layer gateway
(ALG) can be used. The VoIP profile is an example of an ALG.

155
Session Helpers—SIP Example
• Stateful firewall with NAT of 172.16.1.2 to 201.11.1.3
Firewall opens a “pinhole” to allow the traffic that IP address inside the
will come to port 12546 payload is NATed

Send the media traffic to Send the media traffic to IP

IP address 172.16.1.2, address 201.11.1.3, UDP
UDP port 12546 port 12546

172.16.1.1 201.11.1.3

172.16.1.2 Media traffic to Media traffic to

172.16.1.2, port 201.11.1.3, port 12546
12546

Incoming media traffic is allowed even when no

firewall policy has been explicitly configured

156
Sessions
Objectives
• Understand the session table on FortiGate
• Understand the session time to live (TTL)
• Analyze session diagnose command output
• Understand the TCP, UDP, and ICMP states on FortiGate
Session Table
• Accepted IP sessions are tracked in the kernel’s session table, but this can be
affected by hardware acceleration.
• The session table stores the following information about the session:
o The source and destination addresses, port number pairs, state, and timeout
o The source and destination interfaces
o The source and destination NAT actions
• The session table stores the following performance metrics:
o Maximum concurrent sessions
o New sessions per second
FortiView > All Sessions

158
Session Time To Live (TTL)
• When the session table is full, reducing timers may improve performance by closing
sessions earlier. However, be careful not to close sessions too soon, because this
can cause connection errors.

TCP default TTL Specific state timers

config system session-ttl config system global
set default 3600 set tcp-halfclose-timer 120
end set tcp-halfopen-timer 10
set tcp-timewait-timer 1
set udp-idle-timer 60
end

• Timers can be applied in policies and objects, and have precedence:

o Firewall Services > Firewall Policies > Global Sessions

159
Firewall Session Diagnostics
• diagnose sys session
o The session table also indicates policy actions.
o Clear any previous filter:
diagnose sys session filter clear
o Set the filter:
diagnose sys session filter ?
dport destination port
dst destination IP address
policy policy id
sport source port
src source ip address
o List all entries matching the configured filter:
diagnose sys session list
o Purge all entries matching the configured filter:
diagnose sys session clear

160
Session Table: TCP Example
# diagnose sys session filter dst 10.200.1.254 TCP State Session TTL
# diag sys session filter dport 80
# diag sys session list
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000 sockflag=00000000
sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty Routing operation
statistic(bytes/packets/allow_err): org=538/6/1 reply=5407/6/0 tuples=2 speed(Bps/kbps):2596/20
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.200.1.254/10.0.1.10
hook=post dir=org act=snat 10.0.1.10:64624->10.200.1.254:80(10.200.1.1:64624)
hook=pre dir=reply act=dnat 10.200.1.254:80->10.200.1.1:64624(10.0.1.10:64624)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
NAT operation
serial=00023a22 tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
Policy ID

161
Session Table: TCP Example
# diagnose sys session filter dst 10.200.1.254 Session TTL
# diag sys session filter dport 80 TCP State
# diag sys session list
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty Routing operation
statistic(bytes/packets/allow_err): org=538/6/1 reply=5407/6/0 tuples=2
speed(Bps/kbps):2596/20
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 NAT operation
gwy=10.200.1.254/10.0.1.10
hook=post dir=org act=snat 10.0.1.10:64624->10.200.1.254:80(10.200.1.1:64624)
hook=pre dir=reply act=dnat 10.200.1.254:80->10.200.1.1:64624(10.0.1.10:64624)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00023a22 tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0 Policy ID

162
TCP States
• proto_state=05
SYN
o First digit: client-side state
• 0 if not proxy-based inspection 02
SYN / ACK
o Second digit: server-side state
TCP State Value Expire Timer in sec (default) ACK 03
NONE 0 10

ESTABLISHED 1 3600 01
SYN_SENT 2 120 FIN
SYN & SYN/ACK 3 60
FIN / ACK 04
FIN_WAIT 4 120

TIME_WAIT 5 120
05

CLOSE 6 10

CLOSE_WAIT 7 120

LAST_ACK 8 30

LISTEN 9 120

163
ICMP and UDP Protocol States
• Even though UDP is stateless, FortiGate still uses two session state values:

UDP State Value UDP

00
UDP traffic one way only 0 UDP
UDP
UDP traffic both ways 1
UDP
UDP 01
• ICMP has no state
UDP
o proto_state is always 00
UDP

164
Best Practices and Troubleshooting
Objectives
• Identify common NAT issues by reviewing traffic logs
• Monitor NAT sessions using diagnose commands
• Use VIP filters for central NAT
• Use NAT implementation best practices
NAT Port Exhaustion
• If traffic log is enabled, the following log is displayed when the NAT ports are
exhausted (agotado):
Message meets Alert condition date=2011-02-01 time=19:52:01
devname=master device_id=”” log_id=0100020007 type=event
subtype=system pri=critical vd=root service=kernel status=failure
msg=“NAT port is exhausted.”

166
NAT Port Exhaustion
# diagnose sys session stat
misc info: session_count=16 setup_rate=0 exp_count=0 clash=889
memory_tension_drop=0 ephemeral=1/16384 removeable=3
delete=0, flush=0, dev_down=16/69
firewall error stat:
…
A number above 0 indicates that
….
some sessions have been
ids_recv=000fdc94 rejected because of NAT port
url_recv=00000000 exhaustion
av_recv=001fee47
fqdn_count=00000000
tcp reset stat: syncqf=119 acceptqf=0 no-listener=3995 data=0 ses=2
ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0

167
Monitoring NAT Sessions with Diagnose Commands
• diagnose firewall ippool-all list
o Lists all the configured NAT IP pools with NAT IP range and type.

Local-FortiGate # diagnose firewall ippool-all list

vdom:root owns 1 ippool(s)
name:INTERNAL-HOST-EXT-IP
type:overload
nat-ip-range:10.200.1.100-10.200.1.100
………… Command will list all
………… configured IP Pools.

168
Monitoring NAT Sessions with Diagnose Commands (Cont’d)
• diagnose firewall ippool-all stats <Optional IP Pool name>
o Lists stats for all of the IP pools:
# diagnose firewall ippool-all stats
• NAT sessions per IP pool vdom:root owns 2 ippool(s)
• Total tcp sessions per IP pool name: EXT
• Total udp sessions per IP pool type: overload
• Total others (non-tcp and non-udp) sessions per IP pool startip: 10.200.1.100
endip: 10.200.1.100
total ses: 100
tcp ses: 75
# diagnose firewall ippool-all stats EXT
name: EXT udp ses: 20 Command will
type: overload other ses: 5 show stats of
startip: 10.200.1.100 all IP Pools.
endip: 10.200.1.100 name: Training
total ses: 100 type: one-to-one
Command will only
tcp ses: 75 startip: 10.200.1.50
show stats of IP
udp ses: 20 Pool named as EXT endip: 10.200.1.60
other ses: 5
total ses: 10
tcp ses: 8
udp ses: 2
other ses: 0

169
Review

✓ Understand NAT and PAT

✓ Understand the different configuration modes for NAT
✓ Configure a firewall policy to perform SNAT and DNAT (VIPs)
✓ Configure central NAT
✓ Understand session helpers and use a SIP session helper for VoIP
✓ Understand and interpret the session table
✓ Analyse the session diagnose command output
✓ Understand TCP, UDP, and ICMP states
✓ Use traffic logs to identify common NAT issues and monitor NAT sessions using
session diagnose commands
✓ Use NAT implementation best practices
FortiGate Security
Firewall Authentication

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Methods of Firewall Authentication

Remote Authentication Servers

User Groups

Using Firewall Policies for Authentication

Authenticating Through Captive Portal

Monitoring and Troubleshooting

172
Methods of Firewall Authentication
Objectives
• Describe firewall authentication
• Identify the different methods of firewall authentication available on FortiGate
devices
• Identify supported remote authentication servers
• Describe active and passive authentication and order of operations
Firewall Authentication
• It includes the authentication of users and user groups.
o It is more reliable than just IP address and device-type authentication.
o Users must authenticate by entering valid credentials.
• After FortiGate identifies the user or device, FortiGate applies firewall policies and
profiles to allow or deny access to each specific network resource.

?
174
FortiGate Methods of Firewall Authentication
• Local password authentication
o User name and password stored on FortiGate
• Server-based password authentication (also called remote password
authentication)
o Password stored on a POP3, RADIUS, LDAP, and TACACS+ server
• Two-factor authentication
o Enabled on top of an existing method
o Requires something you know and something you have (token or certificate)

175
Local Password Authentication
• User accounts created through • User accounts stored locally on
User & Device > User Definition FortiGate
o Works well for single FortiGate installations

2
User name and password
FortiGate

176
Server-Based Password Authentication
• Accounts are stored on a remote authentication server.
• Administrators can do one of the following:
o Create an account for the user locally, and specify the server to verify the password.
o Add the authentication server to a user group.
• All users in that server become members of the group.

1 4
OK

2 3
Username and password Username and password
FortiGate Remote Server

177
 Remote Authentication Servers

POP3 RADIUS LDAP TACACS+

Uses an email address

as the login credential
(configured on server)

178
Server-Based Password Authentication–Users
• Create user accounts on FortiGate. User & Device > User Definition
o Select remote server type and point to
preconfigured remote server
o Add user to a group Must be preconfigured
on FortiGate
• Add the remote authentication server
to user groups.

Must be preconfigured on FortiGate

179
Two-Factor Authentication and One-Time Passwords
• Strong authentication that improves • Available on both user and
security by preventing attacks administrator accounts
associated with the use of static o The user or user group is added to a
passwords alone firewall policy in order to authenticate.

• Requires two independent methods • Methods of OTP delivery include:

of identifying a user: o FortiToken 200 or FortiToken Mobile
• Generates a six-digit code every 60
o Something you know, such as password seconds based on a unique seed and GMT
or PIN time
o Something you have, such as a token or o Email or SMS
certificate • An OTP is sent to the user’s email or SMS
• Email or SMS must be configured in the
• One time passwords (OTPs) can be user’s account
used one time only. o FortiToken mobile push
o OTPs are more secure than static • Supports two-factor authentication without
requiring user to enter code
passwords.
• NTP server recommended!
180
FortiTokens

OTP generator Static password + OTP Validation Server

Time sync with accurate NTP
2 source

3
Same OTP value
Validate static
1 4 password

Algorithm Algorithm

Time* + Seed Time + Seed

Same seed
Same time

181
Assigning a FortiToken to a User
User & Device > FortiTokens

Two free FortiToken

Mobile activations

• Enable Two-factor Authentication

and select the registered FortiToken.

Can add a user to a group and

create a firewall policy based on
the user group

182
Authentication Methods and Active Authentication
• Active
o User receives a login prompt
o Must manually enter credentials to authenticate
o POP3, LDAP, RADIUS, Local, and TACACS+
• Passive
o User does not receive a login prompt
o Credentials are determined automatically
• Method varies depending on type of authentication used
o FSSO, RSSO, and NTLM

183
Remote Authentication Servers
Objectives
• Configure remote authentication servers
• Configure user authentication
• Understand the roles of LDAP and RADIUS
LDAP Overview
• LDAP is an application protocol for accessing and maintaining distributed directory
information services.

User TCP port 389

LDAP Client (FortiGate) Directory System Agent (DSA)

• LDAP maintains authentication data, including:

o Departments, people (and groups of people), passwords, email addresses, and printers
• LDAP consists of a data-representation scheme, a set of defined operations, and a
request and response network.
• Binding is the operation in which the LDAP server authenticates the user.

185
LDAP Directory Tree
• The LDAP structure is similar to a tree that contains entries (objects) in each
branch.
• Each entry has a unique ID: the distinguished name (DN).
• Each DN has attributes.
• Each attribute has a name and one or more values.
• The attributes are defined in the directory schema.

186
Example Directory Tree

Domain component (DC)

dc=example,dc=com

Container object
ou=people

Leaf object

cn=John Smith cn=user2 cn=usern

uid=jsmith uid=userid2 uid=useridn

187
 Configuring an LDAP Server on FortiGate
User & Device > LDAP Servers

Directory tree attribute that identifies users

Part of the hierarchy where user records exist

Credentials for an LDAP administrator

188
Testing the LDAP Query
• diagnose test authserver ldap <server_name> <username>
<password>
• Example:
# diagnose test authserver ldap ADserver aduser1 Training!

authenticate 'aduser1' against 'ADserver' succeeded!

Group membership(s) - CN=AD-users,OU=Training,DC=trainingAD,DC=training,DC=lab

189
RADIUS Overview
• RADIUS is a standard protocol that provides AAA services.

Access-Request

Access-Accept
or
Access-Reject
FortiGate RADIUS Server
User or
Access-Challenge

190
 Configuring a RADIUS Server on FortiGate

User & Device > RADIUS Servers

IP address or FQDN of the

RADIUS server

The RADIUS server’s secret

(must match)

191
Testing RADIUS Queries
• diagnose test authserver radius <server_name> <scheme> <user>
<password>
• Example:
# diagnose test authserver radius FortiAuth-RADIUS pap student fortinet

authenticate 'aduser1' against 'pap' succeeded, server=primary

assigned_rad_session_id=810153440 session_timeout=0 secs!
Group membership(s) - remote-AD-admins

Group memberships are

provided by vendor specific
attributes configured on the
RADIUS server

192
User Groups
Objectives
• Configure user groups
Types of User Groups

Paris Visitors Active RADIUS

Directory Server

Firewall Guest FSSO RSSO

• User groups types: Firewall, Fortinet single sign-on (FSSO), Guest, and RADIUS single sign-on
(RSSO).
• Firewall user groups provide access to firewall policies that require authentication.
• FSSO and RSSO are used for single sign-on authentication.

194
Guest User Groups
• Most commonly used for guest access in wireless networks
• Guest groups contain temporary accounts
User & Device > User Groups

Account expiry

195
Configuring User Groups
User & Device > User Groups

Add members to group (local or

PKI peer)

Can add preconfigured remote

servers to the group

Can select specific LDAP

groups as defined on the
LDAP server

196
Using Firewall Policies for Authentication
Objectives
• Configure firewall policies
Firewall Policy–Source
Policies & Objects > IPv4 Policy
• Firewall policies can use
user and user group objects to
define the source. The objects
include:
o Local firewall accounts
o External (remote) server accounts
o PKI (certificate) users
o FSSO users
• Anyone who belongs to the group
and provides correct information, will
have a successful authentication.

?
198
Firewall Policy–Service
• DNS traffic can be allowed if user has not authenticated yet.
o Hostname resolution is often required by the application layer protocol (HTTP/HTTPS/FTP/Telnet)
that is used to authenticate.
o DNS service must be explicitly listed as a service in the policy.

199
Protocols
• A firewall policy must allow a protocol in order to show the authentication dialog that
is used in active authentication:
o HTTP
o HTTPS
o FTP
o Telnet

• All other services are not allowed until the user has authenticated successfully
through one of the protocols above listed above.

200
Mixing Policies
• Enabling authentication on a policy does not always force an active authentication
prompt.

• Two options:
o Enable authentication on every policy that could match the traffic.
o Enable a captive portal on the ingress interface for the traffic.
• If login cannot be determined passively, then FortiGate uses active authentication.
o FortiGate will not prompt the user for login credentials when the user can be determined passively.
o Active authentication is intended to be used as a backup when passive authentication fails.

201
Authenticating Through Captive Portal
Objectives
• Configure captive portal and disclaimers
Captive Portal
• Authenticates users on Web pages
that request a user name and
password Network > Interfaces
o Enabled at interface level

• Only active authentication methods

can use captive portal

• Can host captive portal on a FortiGate

or an external authentication server

203
 Configuring Captive Portal
Network > Interfaces
• Configured on network interfaces

Captive portal
enabled here

Port 1 Port 2

Local Network FortiGate

WiFi & Switch Controller > SSID

• For WiFi, WiFi SSID must first exist

204
User Access–Restricted to Groups and Allow All
• Restrict to Groups
o Only groups configured under the
Admission Control section can
successfully authenticate and
access resources.

• Allow all:
o Any groups configured on the
firewall policies can successfully
authenticate and access
resources.

205
Captive Portal Exemptions
• Can suppress captive portal for
specific devices: #config user security-exempt-list
edit <list_name}
o Printers, fax machines, and so on config rule
edit <name>
set srcaddr | devices |
dstaddr | service
next
end

Exempt by address or device

#config firewall policy
edit <policy_id>
set captive-portal-exempt enable
end

206
Terms of Service Disclaimer
• Displays the Terms and Disclaimer
Agreement page before the user
authenticates. #config firewall policy
edit <policy_id>
o The user must accept the disclaimer to
set disclaimer enable
proceed.
end
o After accepting, the user is directed to the
intended destination.

207
Customizing Portal Messages
• Click Extended View.
• Not all disclaimers are or need to be the same.
o Text can be altered.
o Images can be added (to HTML messages).
System > Replacement Messages

208
Authentication Timeout

#config user setting

set auth-timeout-type [idle-timeout|hard-timeout|new-session]
end

• Timeout specifies how long a user can

remain idle before the user must
authenticate again.
• Default is 5 minutes.
• Three options for behavior:
• Idle (default)–No traffic for that amount of
time
• Hard–Authentication expires after that
amount of time, regardless of activity
• New session– Authentication expires if no
new session is created in that amount of
time

209
Monitoring and Troubleshooting
Objectives
• Monitor firewall users
• Use troubleshooting tools
• Use best practices
 Monitoring Users
Monitor > Firewall User Monitor

• Also used to terminate authenticated sessions

Monitor > Firewall User Monitor

211
Troubleshooting
Policy & Objects > IPv4 Policy

• CLI commands:
o diagnose firewall auth list
o diagnose firewall auth clear
o diagnose debug app fnbamd -1
o diagnose test authserver radius-direct <ip> <port> <secret>

212
Best Practices
• Set the source IP whenever the remote server is accessed through a VPN, since
most VPNs do not have an IP address associated with the VPN interface.
• Servers should not go through an authentication policy. Use a dedicated, non-
authentication policy for each server.
CAUTION: Use extreme caution when selecting the Include in every User Group option when
configuring a Radius server. This option places the Radius server, and all users who can authenticate
against that server, into every FortiGate user group, including groups that are used for admin access.

213
Review

✓ Describe firewall authentication

✓ Identify the different methods of firewall authentication available on FortiGate
devices
✓ Identify supported remote authentication servers
✓ Describe active and passive authentication and the order of operations
✓ Configure users for local password authentication, server-based password
authentication, and two-factor authentication
✓ Configure remote authentication server
✓ Configure user authentication, firewall policies, captive portal, and disclaimers
✓ Monitor firewall users
✓ Use troubleshooting tools and best practices
FortiGate Security
Certificate Operations

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Overview

Authenticate and Secure Data Using Certificates

Inspect Encrypted Data

Manage Digital Certificates in FortiGate

216
Authenticate and Secure Data Using Certificates
Objectives
• Describe why FortiGate uses digital certificates
• Describe how FortiGate uses certificates to authenticate users and devices
• Describe how FortiGate uses certificates to ensure the privacy of data
Why Does FortiGate Use Digital Certificates?
• Inspection
o FortiGate dynamically generates temporary certificates to perform full SSL inspection.
o FortiGate can inspect certificates to ensure that they are trusted and valid, before permitting a
client to connect to an outside device.
• Privacy
o FortiGate uses digital certificates, and their associated private keys, to establish SSL connections
with other devices, such as FortiGuard.
• Authentication
o Users who have certificates issued by a trusted certification authority (CA), can authenticate to
FortiGate to access the network or to establish a VPN connection.
o Admin users can use certificates as second-factor authentication to log in to FortiGate.

218
Using Certificates to Identify a Person or Device
• What is a digital certificate?
o A digital identity produced and signed by a CA
o Analogy: passport or driver’s license
• How does FortiGate use certificates to
identify devices and people?
o The Subject and Subject Alternative Name
fields in the certificate identify the device or
person associated with the certificate.
• FortiGate uses the X.509v3 certificate
standard.

219
How Does FortiGate Trust Certificates?
• FortiGate does a number of checks against
a certificate before trusting it and using it.
These checks are:
o Revocation check
• You must download the relevant CRLs to FortiGate
or configure FortiGate to use OCSP.
• Certificates are identified by a serial number on the
CRL.
o CA certificate possession
• FortiGate uses the Issuer value to determine if
FortiGate possesses the corresponding CA
certificate. Without the corresponding CA
certificate, ForitGate cannot trust the certificate.
o Validity dates
o Digital signature validation
• The verification of the digital signature on the
certificate must pass.

220
FortiGate Verifies a Digital Signature
This represents the The CA’s public
digital signature, key decrypts the
1 which is an encrypted 2 encrypted hash,
hash verifying the
signature

Server CA
10101

Original hash
Fresh hash 3 result produced
A fresh hash result is by the signer
result
produced, based on
The same the certificate in
algorithm is FortiGate’s
used by the possession
CA to create
the signature

221
 Certificate-Based User Authentication
• A user certificate includes:
o The CA’s signature, which is the result of the CA’s private key encrypting the hash result of the
certificate
o The user’s public key
• To authenticate with a user certificate, the authentication server (FortiGate) must
have the CA certificate whose corresponding private key signed the user certificate.
o The CA certificate contains the CA’s public key, which allows the authentication server to decrypt
and validate anything encrypted and signed by the CA’s private key.
FortiGate must have the User certificate
certificate of the signed by the CA
corresponding CA

Alice

Authentication Also verifies that the certificate is still

server valid by checking the validity dates,
signature, and revocation
222
Self-Signed SSL Certificates
• By default, FortiGate uses a self-signed SSL certificate.
o Not listed with an approved CA, therefore, by default, not trusted

FGT FGT
FGT

Certificate store

FortiGate, I
trust you

223
FortiGate Uses SSL for Privacy
• FortiGate achieves privacy using SSL.
• SSL attributes:
o Privacy of data
o Identifies one or both parties using certificates.
o Uses symmetric and asymmetric (public key) cryptography.
• Symmetric cryptography
o Uses the same key to encrypt and decrypt data.
o When FortiGate establishes an SSL session between itself and another device, the symmetric key
(or rather the value to produce it) must be shared so that data can be encrypted by one side, sent,
and decrypted by the other side.
• Asymmetric cryptography
o Uses a pair of keys. One key performs one function and the other key performs the opposite
function. For example, if FortiGate connected to a web server to initiate an SSL session, it would
use the web server’s public key to encrypt a string known as the pre-master secret. The web
server’s private key would decrypt the pre-master secret.

224
 SSL Between FortiGate and a Web Server—Part 1
Browser sends a hello message to the web
1 server. The message includes the SSL
version and algorithms that it supports.
Server replies with the SSL version and
algorithms that will be used during the 2
session and that both sides support. It
also sends its certificate.
Server Server
3

1. Corresponding CA Web server

cert?
2. Signature valid?
3. Validity dates?
CA 4. Revocation
check?

Certificate store

225
 SSL Between FortiGate and a Web Server—Part 2
FortiGate generates a pre-master secret,
4 encrypts it using the web server’s public
key, and sends it to the server.
Server
Pre-Secret XXXX

5
Server

The server decrypts the pre-master

secret using its private key. Web server

Pre-Secret XXXX
CA

Certificate store

226
 SSL Between FortiGate and a Web Server—Part 3
Pre-Secret Pre-Secret

Master Both sides derive a master secret Master

Secret based on the pre-master secret. Secret Server

Web server
7

Session (symmetric) key is

CA generated based on the
shared master secret.

Certificate
8
Store

Digest exchange
227
Inspect Encrypted Data
Objectives
• Describe certificate inspection and full SSL inspection
• Configure certificate inspection and full SSL/SSH inspection
• Identify what is required to implement full SSL inspection
• Identify the obstacles to implementing full SSL inspection and possible remedies
No SSL Inspection
• Cloaked by encryption, viruses can pass through network defenses, unless full SSL
inspection is enabled.

Server
Bob

Web server
https://example.com CA
Certificate
store

229
SSL Certificate Inspection
• FortiGate uses the server name indication (SNI) to discern the hostname of the
SSL server at the beginning of the SSL handshake.
• When certificate inspection is enabled, FortiGate performs the following checks on
SSL certificates:
o Trust (In other words, does FortiGate have the corresponding CA certificate in its trusted list that
allows it to verify the signature?)
o Signature verification
o Validity dates
o Revocation checking
• While offering some level of security, certificate inspection does not permit the
inspection of encrypted data.

230
Configure SSL Certificate Inspection
Security Profiles > SSL/SSH Inspection

To configure the
certificate inspection
option, select custom-
deep-inspection.

The certificate inspection option can

be selected from the drop-down list,
but it’s not configurable.
Select SSL Certificate
Inspection.

231
Full SSL Inspection—Certificate Requirements
• Full SSL inspection requires that FortiGate act as a CA to generate an SSL private
key and certificate as a proxy web server.
o To be compliant with the Internet Engineering Task Force (IETF) RFC 5280, the CA certificate
requires these two extensions to issue certificates:
• cA=True
• keyUsage=keyCertSign

• FortiGate devices that support full SSL inspection can get their CA key pair from a
couple of sources:
o A self-signed Fortinet_CA_SSL certificate from within FortiGate
o A certificate issued by an internal CA (FortiGate then acts as a subordinate CA)
• The root CA certificate must be imported in to the client machines.

232
Full SSL Inspection on Outbound Traffic—Part 1
• FortiGate requires the private key to decrypt and inspect SSL traffic.
o FortiGate intercepts traffic coming from the server and generates and signs a new
certificate with the same subject name.

Security Profiles > SSL/SSH Inspection

233
 Full SSL Inspection on Outbound Traffic—Part 2
• Certificate issued by FortiGate must SSL is established
have the destination domain name (in between FortiGate and
this example, www.ex.ca). the browser,
the browser
and and
between The browser is
FortiGate and the web tricked into thinking
server.
server it has connected
5 directly to the web
server.
https://www.ex.ca

cn=ex.ca

cn=ex.ca cn=ex.ca

CA
cn=ex.ca 2

The FortiGate CA private key The FortiGate- 4

3 signs a certificate that cn=fgt-ca
produced web server
masquerades as the web certificate is sent to
server. the browser.
234
Untrusted SSL Certificates Setting
• Allow, block, or ignore untrusted Security Profiles > SSL/SSH Inspection
certificates (only available if Multiple
Clients Connecting to Multiple
Servers is selected)
o Allow: Sends the browser an untrusted
temporary certificate when the server
certificate is untrusted. If the server
certificate is trusted, a trusted temporary
certificate is sent.
o Block: Blocks the connection when an
untrusted server certificate is detected.
o Ignore (set through CLI only): Uses a
trusted FortiGate certificate to replace
the server certificate always, even when
the server certificate is untrusted.

235
 Untrusted SSL Certificates—Allow Setting, Trusted Site
5 The browser trusts the cert The trusted site
Bob initiates a sends its
connection to a because the corresponding
certificate.
site that FortiGate CA cert is in its trusted root 2
trusts. CA cert store. The SSL Issuer=CA1
1 handshake begins

Temporary
cert for the
trusted site

Issuer=CA1

FortiGate trusts this SSL

FortiGate generates and
signs a temporary certificate
Fortinet_CA_
SSL
signed by the
Fortinet_CA_SSL private
key and sends the
certificate to the browser.
certificate because it has
the corresponding CA
4 3
certificate in its trusted
certificate store and can
Fortinet_CA_
SSL
Subject=CA1 validate the SSL
certificate’s signature.
236
 Untrusted SSL Certificates—Allow Setting, Untrusted Site
The untrusted
Bob initiates a 5 The browser does not trust site sends its
connection to a the certificate because it does certificate.
site that FortiGate not have the corresponding 2 Issuer=Self-

does not trust. CA certificate in its trusted Signed

1 root CA certificate store.

Temporary
cert for
untrusted site
FortiGate generates and
signs a temporary
certificate signed by the
Fortinet_CA_Untrusted
private key and sends it
to the browser.
FortiGate does not trust
Issuer=Self-
Signed this SSL certificate
because it has not been
added to its trusted
4 3 certificate store.
Fortinet_CA_ The self-signed
Untrusted
certificate is not in the
trusted certificate
store.
237
 Untrusted SSL Certificates—Blocked, Untrusted Site
The untrusted
Bob initiates a site sends its
connection to a certificate.
2
site that FortiGate Issuer=Self-
Signed
does not trust.
1

5 Because FortiGate
does not trust the
Issuer=Self-
Signed SSL certificate, the
session is stopped.
4
FortiGate notifies the 3
browser that the site is
blocked. The self-signed
certificate is not in
the trusted certificate
store.
238
 Untrusted SSL Certificates—Ignore, Untrusted Site
The browser trusts the The untrusted
Bob initiates a 4 certificate because the site sends its
connection to a corresponding CA certificate certificate.
site that FortiGate 2
is in its trusted root CA Issuer=Self-
Signed
does not trust. certificate store. The SSL
1
handshake begins.

Temporary
cert Issuer=Self-
Signed Because the setting is
set to Ignore,
FortiGate does not
FortiGate generates a 3 check the certificate
temporary certificate that is store.
Fortinet_CA_
SSL
signed by the Fortinet_CA_
SSL
Fortinet_CA_SSL private
key and sends the
certificate to the browser.
239
Exempting Traffic From SSL Inspection
Security Profiles > SSL/SSH Inspection
• Why exempt?
o Problems with traffic
o No option to load
FortiGate CA
o Legal issues
• Check local laws

White list exemption as rated by

FortiGuard web filtering

Includes exemptions such as

Fortinet, Android, Apple, Skype
and more

240
Invalid Certificates
• Enabling this option allows invalid SSL
certificates.
• Invalid certificates produce security
warnings due to problems with the Security Profiles > SSL/SSH Inspection
certificate details.
• When this option is disabled,
FortiGate performs the following
checks on certificates:
o Validity date check
o Signature on certificate check
o Revocation check

241
 Configuring Full SSH Inspection
Security Profiles > SSL/SSH Inspection

242
Full SSL Inspection on Inbound Traffic
Security Profiles > SSL/SSH Inspection
• A user from the internet attempts to
connect to a protected server.
• The SSL connection is split in to two,
both terminating at FortiGate.
o FortiGate proxies the SSL traffic.
o The server's signed certificate, private key,
and chain of certificates must be installed
in FortiGate.
o FortiGate presents the signed certificate to
the user on behalf of the server. https://www.example.com

Server

Alice CA

Server
CA

243
Applying an SSL Inspection Profile to a Firewall Policy
• You must assign an SSL inspection
profile to a firewall policy so FortiGate
knows how to treat encrypted traffic.
o A security profile without an SSL Policy & Objects > IPv4 Policy
inspection profile enabled means
encrypted protocols are ignored through
that firewall policy.

Select one or more

other security profiles
before selecting
SSL/SSH Inspection.
Other SSL/SSH inspection
profiles can be selected from
the drop-down list.

244
Certificates Warnings
• The browser may display a certificate warning during SSL inspection because it
does not trust the CA.
• To avoid certificate warnings, do one of the following:
o Use the Fortinet_CA_SSL certificate and install the FortiGate CA root certificate in all the
browsers.
o Use an SSL certificate issued by a CA and ensure that the root CA certificate is installed in all the
browsers.

245
Full SSL Inspection and HSTS/HPKP

• Some web servers implement security measures to mitigate MITM attacks.

o HTTP strict transport security (HSTS)
• A mechanism whereby web sites are accessible only through secure connections—RFC 6797 (IETF)
o HTTP public key pinning (HPKP)
• Associates or pins a public key to a specific web server.
• For example, some browsers require a Google certificate when accessing any Google site.
• HPKP and HSTS are intended to work together.

Public key is not the correct

key associated with this
https://www.google.com website

Issuer: Issuer:
Google Internet Authority FortiGate CA
Issued to: Issued to:
www.google.com www.google.com
Public key: Public key:
google.com FortiGate

246
Resolving HPKP Issues
• Exempt those web sites from full SSL inspection.
• Use SSL certificate inspection instead.
• Use a web browser that does not support HPKP, like Internet Explorer or Edge.
• Disable the security setting in the browser (not always an option).

247
Manage Digital Certificates in FortiGate
Objectives
• Generate a certificate request
• Import CRLs
• Back up and restore certificates
Generating a CSR for a CA
The CA extracts data from
the CSR, such as the public
key, and generates and signs
a certificate for FortiGate. It
FortiGate Certificate Signing Request then returns the certificate to
CA
FortiGate.
(CSR)

FGT Server
Certificate

• A certificate signing request (CSR) that includes the public key and is signed by the private
key is submitted to a CA.
o File is usually a *.CSR (Certificate Signing Request)
o User information and key data is verified
• Data is published in industry-standard format and the digital signature of the CA is applied.
• The signature guarantees the integrity of the data and that the data has been verified by a trusted authority.

249
Generating a CSR
System > Certificates

250
CSR Enrollment Types
Note that if you delete the
• File-based method CSR, you will not be able to
o Select CSR and click Download. import the signed certificate
and you will have to start
o Submit file to CA. over!

• Online SCEP method

o Enter the CA server URL used for SCEP and the challenge password provided by the CA
administrator.
o A CSR is automatically submitted online.

251
Importing a Local Certificate
• To import a local certificate:
1. Go to Import > Local Certificate
2. Browse for .cer file provided by CA

System > Certificates

252
Importing a CRL
• FortiGate administrators can manually
System > Certificates
import CRLs.
• Upload options:
o HTTP
o LDAP
o SCEP
o Local PC
• FortiGate automatically updates CRLs
before they expire.

253
Backing Up and Restoring Certificates
• Back up keys and certificates through
the CLI (TFTP server required for
import and export): FortiGate
• execute vpn certificate local
import tftp <file-name_str>
<tftp_ip>. Private Key
• execute vpn certificate local
export tftp
<certificate-name_str> Local certificates of
<file-name_str> <tftp_ip>. FortiGate device
• Keys and certificates are stored in the CA’s certificates
PKCS#12 file. CA

• Configuration backup also contains

the keys and certificates.
Password-protected
PKCS#12 file

254
Certificate Configuration–VDOM and Global
• You can configure CA and local FortiGate certificates,
some identified with
certificates per VDOM. specific signature
config certificate local algorithms and key
lengths identified in
edit Fortinet_Factory their names

set range <global/vdom>

set source
<factory/user/fortiguard>

CA
certificates

255
Installing an SSL Certificate Issued by a Private CA
• Private CA certificates used by SSL should be installed on endpoints.
o Avoids certificate warnings
o Strict SSL will fail with no override option if CA is untrusted
• System > Certificates

256
Review

✓ Explain why and how FortiGate trusted or does not trust

certificates
✓ Describe how an SSL handshake works between FortiGate and an
SSL server
✓ Describe certificate inspection and the two full SSL inspection
options
✓ Identify the requirements and obstacles to implementing full SSL
inspection, and possible remedies
✓ Describe how to generate a certificate request, import CRLs, and
back up and restore certificates
FortiGate Security
Antivirus

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Antivirus Basics

Antivirus Scanning Modes

Antivirus Configuration

Best Practices

Troubleshooting

259
Antivirus Basics
Objectives
• Use antivirus signatures
• Review antivirus scanning techniques
• Enable FortiSandbox with antivirus
• Differentiate between available FortiGuard signature databases
What is Antivirus and How Does It Work?
• Antivirus is a database of virus signatures that is used to identify malicious code.
• Virus names: <vector>/<pattern>
o Example: W32/Kryptik.EMT!tr
• <vector> for a virus will always be the same, but vendors assign different IDs for <pattern>.

• To detect a virus, the antivirus engine must match file with pattern <signature>.
• Each vendor uses different detection engines and signatures, such as:
o MD5
o CRC
o Combinations of file attributes
o Binary values in some areas
o Encryption keys
o Parts of code

261
Antivirus Scanning Techniques
• Antivirus scan:
o Detects and eliminates malware in real time Order of scan
• Stops threats from spreading
o Preserves the client reputation of your public IP
1 Antivirus Scan
• Grayware scan:
o Uses grayware signatures
o Detects and blocks unsolicited programs
2 Grayware Scan

o Antivirus actions apply

Optional (must be enabled in CLI)
• Heuristics scan:
o Looks for virus-like code 3 Heuristics Scan
• (Example: Modifies registry to restart itself after reboot)
o Counts virus-like attributes
o If greater than a threshold, file is suspicious
o False positives possible

262
Sandboxing
• FortiSandbox detects zero-day
attacks with high certainty:
o FortiGate uploads files to FortiSandbox
Cloud or FortiSandbox Appliance. Security Fabric > Settings

Note: You must activate a FortiCloud account

to use FortiSandbox cloud.
o Uploaded files are executed in an isolated
environment (VMs).
o FortiSandbox examines the effects of the
software to detect new malware.
• You can configure FortiGate to
receive a signature database from
FortiSandbox Cloud or FortiSandbox
Appliance to supplement the
FortiGuard database.

263
Sandboxing
• Administrators must configure the antivirus profile to send files to FortiSandbox for
inspection.
o You can send all files, or only files deemed suspicious to FortiSandbox (CLI only).
o Characteristics that are used to determine if a file is suspicious are updated by FortiGuard, based
on the current threat climate.
Security Profile > AntiVirus

Admins can control

what files are sent to
FortiSandbox.

Allows FortiGate to use

FortiSandbox signatures
to supplement the
FortiGuard antivirus
database.

264
Antivirus Signature Database
• Requires a subscription to FortiGuard AntiVirus
System > FortiGuard System > FortiGuard

• The antivirus scanning engine relies on the antivirus signature database.

• Starting at FortiOS 5.6, the Botnet IPs and Botnet Domains subscription is part of a
FortiGuard Antivirus license.

265
Antivirus Signature Database
• FortiGuard antivirus databases:
o Normal - includes common recent attacks and is available on all models Normal

o Extended - includes normal plus additional recent non-active viruses

o Extreme - includes extended plus additional dormant viruses Extended
• Extreme is only available on select FortiGate models.

• Choosing an antivirus signature database (CLI only) Extreme

config antivirus settings
set default-db {normal | extended | extreme}
end

• Quick Scan-Only available in flow inspection mode with quick scan option enabled
• FortiOS automatically uses a compact signature database if quick scan is applied

266
Mobile Malware Database
• Requires a subscription to the FortiGuard Mobile Malware Service
• Ensures protection against the latest threats targeting mobile platforms
o Apple iOS System > FortiGuard

o Android
o Windows mobile devices
• Proactive threat intelligence library offers complete protection against mobile
threats Security Profile > AntiVirus

Must enable within

antivirus profile settings to
use Mobile Malware
Database

267
Antivirus Scanning Modes
Objectives
• Apply the antivirus profile in flow-based inspection mode
• Apply the antivirus profile proxy inspection mode
• Compare all available scanning modes
Flow-Based Inspection Mode–Full Scan Mode
• Uses the full antivirus database
o Normal, extended, or extreme–depending on what is configured in the CLI
• Optimized performance compare to proxy-based scan
• FortiGate buffers the whole file, but transmits to the client simultaneously.
o The IPS engine checks for the rule match.
o When the last packet arrives, the AV engine starts the scan.
• Files bigger than buffer size are not scanned–can enable logging of these files.
• Packets are not delayed by scan–except last packet.
o Lower perceived latency–data loads faster
• If a virus is detected, the last packet is dropped and the connection is reset. If an
identical request is made, the block replacement page is inserted immediately.

269
Full Scan Mode Packet Flow
Client Server
FortiGate

IPS Engine
Request sent

Initial Packet

Packet 2

Packet 3

Last Packet

AV Engine
Scanning FortiGate buffers, but also
transmits simultaneously. The
Last Packet antivirus engine starts scanning
after whole file is buffered.

270
Full Scan Mode Enabled
Security Profiles > AntiVirus

System > Settings

Use the full AV

signature database

271
Quick Scan Mode Packet Flow
• Uses the IPS engine and embedded compact antivirus database
• Faster, less memory usage because the file is not cached, but lower catching rate
• Cannot send files to FortiSandbox for inspection
• Cannot use advanced heuristics and mobile malware package

272
Quick Scan Mode Packet Flow

Client FortiGate

Compact AV
engine

IPS Engine
Request sent

Initial Packet

Packet 2

Packet 3

Packet 4

Final Packet

273
Quick Scan Mode Enabled
Security Profiles > AntiVirus

System > Settings

Uses compact quick scan AV database

• No inspection options available

• Meant to maximize performance
• Scan Mode setting is only available in flow-based inspection mode
• Use case: public WiFi

274
Proxy Inspection Mode
• Uses full antivirus database (normal, extended, or extreme)
• Buffers the whole file
o Antivirus engine starts scanning after the end of the file is detected
• Files bigger than buffer size are not scanned–can configure to pass or block
o Packets sent to the client after scan finishes–client must wait
o Highest perceived latency
• Provides granularity over performance
• Weighted towards being more thorough and easily configurable
• Displays block message immediately if virus is detected

275
Proxy Inspection Mode Packet Flow
FortiGate

Proxy
Request sent

Initial Packet

Packet 2
Packet 3

Last Packet

Initial Packet

Packet 2 AV Engine AV engine starts

Packet 3 Scanning scanning after the
whole file is buffered
Last Packet

276
Proxy Inspection Mode Enabled
Security Profiles > AntiVirus

System > Settings

This section is only

available when operating
in proxy inspection mode.

• Only available in proxy-based inspection mode

277
Antivirus Scanning Modes Comparison

Full Flow-based Quick Flow-based Proxy-based

Catching Rate Highest High Highest
Sandbox Support Yes No Yes
Advanced Heuristic Yes No Yes
Memory High Low High
Perceived Latency High Low Highest
MAPI, NNTP Scanning No No Yes
SMB Scanning Yes Yes No
HTTP, FTP, IMAP, POP3, SMTP Scanning Yes Yes Yes
Use FortiSandbox Database Yes No Yes
Use Mobile Malware Protection Service Yes No Yes

278
Configuring Antivirus
Objectives
• Configure antivirus profiles
• Configure protocol options
• Review virus statistics
• Log and monitor antivirus events
Configuring Antivirus Profiles
Security Profiles > AntiVirus System > Settings
Default inspection mode is
flow. Inspection mode can
be changed to Proxy in
System > Settings.

FortiSandbox-related options are

available only if FortiGate is
configured to use FortiSandbox
Cloud or Appliance under Security
Fabric.

• Configure all required antivirus profile options.

280
Configuring Protocol Options
Security Profile > Proxy Options
• More granular control
• Allows configuration of:
o Protocol port mappings
o Common options
o Web and email options
• Configure for both proxy-based
VDOMs and flow-based VDOMs
o Configure proxy-based VDOMs:
• From the GUI, on the Proxy Options page
• From the CLI, using the config firewall You can specify more than one port
profile-protocol-options command number (separated by comma).

config firewall profile-protocol-options

edit <profile_name>
config <protocol_name>

o Configure flow-based VDOMs from the CLI

only

281
Protocol Options–Large Files
• By default, FortiOS allows files that are too big for the buffer size.
o Files that are bigger than oversize limit are bypassed from scanning.
• You can modify this behavior for all protocols.
config firewall profile-protocol-options
edit <profile_name> HTTP, FTP, and so on
config <protocol_name>
set options oversize
set oversize-limit <integer> Default value is 10. Maximum
end value is hardware dependant.
end

• You can enable logging of oversize files using CLI.

config firewall profile-protocol-options
edit <profile_name>
set oversize-log {enable|disable}
end

282
Protocol Options–Compressed Files
• Often, compression algorithms can be identified using header only.
• Archives are unpacked and files and archives within are scanned separately.
o Nested archives are supported (default is 12 layers).
o Decompressed files have a separate oversize limit.
o Limit can be configured for each protocol separately.
config firewall profile-protocol-options
edit <profile_name> HTTP, FTP, and so on
config <protocol_name>
set uncompressed-oversize-limit [1-<model_limit>]
set uncompressed-nest-limit [1-<model_limit>]
end
end

• Password-protected archives cannot be decompressed.

• Increasing the size will increase memory usage!

283
Detection Rate and File Size
• Most malware is small.
• Very large files require more RAM to scan completely.
• Often, scanning only small files is an acceptable risk.
o Default: 10 MB threshold for oversize
o Maximum size varies by model
Malware Type 1MB 2MB 3MB 4MB 5MB 6MB 7MB 8MB 9MB 10MB ∞

Exploit 99.83% 99.95% 99.97% 99.97% 99.98% 99.98% 99.99% 100% 100% 100% 100%

Mass-mailer 99.62% 99.87% 100% 100% 100% 100% 100% 100% 100% 100% 100%

Phish 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

Spyware 95.08% 97.97% 98.88% 99.47% 99.76% 99.83% 99.89% 99.91% 99.94% 99.95% 100%

Trojan 97.52% 99.24% 99.62% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.98% 100%

Virus 98.27% 99.37% 99.63% 99.80% 99.88% 99.3% 99.95% 99.97% 99.98% 99.99% 100%

worm 99.08% 99.65% 99.74% 99.86% 99.89% 99.92% 99.94% 99.94% 99.95% 99.96% 100%

284
Applying the Antivirus Profile
• Apply the antivirus profile and Policy & Objects > IPv4 Policy

protocol options on the firewall

policy, to scan traffic.
• Ensure that deep-inspection is
selected for the SSL/SSH
Inspection setting. It is required
to scan encrypted protocols.

285
Enabling Botnet Protection
• The botnet database: Network > Interfaces
o Now part of the antivirus contract
o Should be used with the antivirus
profile to maximize the protection of
internal endpoints
• Botnet is applied to external
interface(s).
• Administrators can set the
action to Block or Monitor.

286
Antivirus Block Page
• Antivirus block page contains:
o File name
o Virus name
o Web site host and URL
o Source and destination IP
o Use name and group (if authentication is
enabled)
o Link to FortiGuard Encyclopedia

287
Advanced Threat Protection Statistics
• The Advanced Threat Protection Statistics widget provides real-time statistics
related to antivirus scans.
• Shows statistics for:
o Virus scan
o FortiSandbox

Dashboard > Main

288
Antivirus Logs
Log & Report > AntiVirus

Log & Report > Forward Traffic

289
Best Practices
Objectives
• Recognize recommended antivirus configuration practices
• Log antivirus events
• Monitor antivirus and FortiSandbox events
• Use hardware acceleration with antivirus scans
Recommended Configuration Practices
• Enable FortiGuard push updates to ensure FortiGate receives antivirus updates as
soon as they are available.
System > FortiGuard

• Make sure FortiGate has a stable connection to FortiGuard servers.

291
Troubleshooting
Objectives
• Troubleshoot common antivirus issues
Troubleshooting Common Antivirus Issues
• FortiGuard update issues? Make sure that:
o FortiGate has a stable connection to the Internet
o FortiGate is able to resolve DNS (update.fortinet.net)
o TCP port 443 is open
• Force FortiGate to check for new antivirus updates.
# execute update-av

• Verify that the FortiGuard antivirus license is valid.

System > FortiGuard

293
Troubleshooting Common Antivirus Issues
• Valid contract but antivirus database is out-of-date?
o Check FortiGuard website for latest antivirus database version.
• https://fortiguard.com/updates/antivirus
o Make sure the antivirus profile is applied on at least one firewall policy.
• Run the real-time update debug to isolate update-related issues.
# diagnose debug application update -1
# diagnose debug enable
# execute update-av

294
Troubleshooting Common Antivirus Issues
• Unable to catch viruses even with a valid contract?
o Check all internal to external firewall policies for configuration errors.
o Ensure that the proper antivirus profile, along with the correct protocol options profile (proxy
inspection mode mode) and SSL/SSH inspection are applied.
o Make sure the same antivirus profile and SSH/SSL inspection are applied on all redundant internet
connection firewall policies.
o Check the Advanced Threat Protection Statistics Widget for virus statistics.
• Some useful antivirus commands are: Displays virus statistics for the last one
minute
# get system performance status Displays current antivirus
# diagnose antivirus database-info database information
# diagnose autoupdate versions Displays current antivirus engine
# diagnose antivirus test “get scantime” and signature versions
# execute update-av
Displays scan times for infected files

Forces FortiGate to check for antivirus

updates from FortiGuard server

295
Review
✓ Use antivirus signatures.
✓ Review antivirus scanning techniques.
✓ Enable FortiSandbox with antivirus.
✓ Differentiate between available FortiGuard signature databases.
✓ Apply the antivirus profile in flow-based and proxy-based inspection modes.
✓ Compare all available scanning modes.
✓ Configure antivirus profiles and protocol options.
✓ Review virus statistics.
✓ Log and monitor antivirus events.
✓ Recognize recommended antivirus configuration practices.
✓ Log and monitor antivirus and FortiSandbox events.
✓ Use hardware acceleration with antivirus scans.
✓ Troubleshoot common antivirus issues.
FortiGate Security
Web Filtering

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Inspection Modes

Web Filtering Basics

Additional Proxy-Based Web Filtering Features

DNS Filtering

Best Practices and Troubleshooting

298
Inspection Modes
Objectives
• Describe FortiGate inspection modes
• Implement full SSL inspection
Inspection Modes
• Per virtual domain (VDOM) settings
• Two inspection modes:
o Flow-based
• Only supports flow-based profiles
o Proxy-based
• Defaults to proxy-based profiles
• Supports flow-based profiles from the CLI only
System > Settings

• CLI
config system settings
set inspection-mode [ proxy | flow ]
end

300
 Flow-Based Inspection
• Default inspection mode in FortiOS 5.6
• Uses single-pass direct filter approach (DFA) pattern matching to identify possible
attacks or threats
• File is scanned on a flow basis as it passes through FortiGate
• Requires fewer processing resources
Client FortiGate Server
• Faster scanning
SYN

System > Settings SYN-ACK

ACK

Flow-based inspection mode with profile-based

NGFW mode only applicable to NGFW mode is the default in FortiOS 5.6.
flow-based inspection mode

301
NGFW Mode
• New option added in FortiOS 5.6
• Only available in flow-based inspection mode
• Features two modes:
o Profile-based
• Requires administrators to create and configure application control and web filtering profiles, then apply
them to the selected firewall policy.
o Policy-based
• Allows administrators to apply application control and web filtering directly to a firewall policy, without
having to configure application control and web filtering profiles.
• Requires administrators to apply a single SSL/SSH inspection profile to all firewall policies.
System > Settings
A single SSL/SSH inspection
profile will be applied to all firewall
policies within the same VDOM.

• Antivirus configuration is always profile-based, regardless of the NGFW mode

selection

302
Proxy-Based Inspection
• More thorough inspection
• Adds latency
o Complete content is scanned Client FortiGate Server

• Two TCP connections SYN

SYN-ACK

o From client to FortiGate acting as proxy server ACK

o From FortiGate to server SYN

SYN-ACK

• Communication is terminated on Layer 4 ACK

• More resource intensive

• Provides a higher level of threat protection

System > Settings

303
Configuring Inspection Mode
Dashboard > Main

Customizable at the VDOM level

Security Profiles > Proxy Options

Protocol ports can be customized

304
Web Filtering Basics
Objectives
• Describe web filter profiles
• Work with web filter categories
• Configure web filter overrides
• Configure custom categories
• Submit a FortiGuard rating request
Why Apply Web Filtering?
• Mitigate the negative effects of inappropriate web content
• Preserve employee productivity
• Prevent network congestion
• Prevent data loss and exposure of confidential information
• Decrease exposure to Web-based threats
• Prevent copyright infringement
• Prevent viewing of inappropriate or offensive material

306
When Does Web Filtering Activate?

www.acme.com

Filtering is based on
DNS Request response
DNS Response
• Web Filter:
SYN
o HTTP 200
SYN/ACK
ACK
HTTP GET

HTTP 200
Web Filter

307
Web Filter Profiles–Flow Based
• Profile-Based • Policy-Based
o Configure Web Filter profile o Apply application control and URL categories
• FortiGuard categories directly in a firewall policy
• Static URL
• Rating option
o Apply profile to firewall policy
Security Profiles > Web Filter Policy & Objects > IPv4 Policy

308
Web Filter Profiles–Proxy Based
• Proxy-based options
o Configure Web Filter profile Security Profiles > Web Filter
• FortiGuard categories
• Search engines
• Static URL
• Rating option
• Proxy option
o Apply profile to firewall policy
• Create or customize profiles
o Default
o Monitor-all

309
FortiGuard Category Filter
• Split into multiple categories and subcategories
o Release new categories and subcategories compatible with updated firmware
o Older firmware has new values mapped to existing categories

• Live connection to FortiGuard

o Active contract required
o Seven-day grace period on expiry

• FortiManager can be used instead of FortiGuard

310
How Are Categories Decided?
• FortiGate queries the FortiGuard
Distribution Network (FDN) to
determine a website category

• The web filter rating is determined by:

o Human rater
o Text analysis
o Exploitation of web structure

• Description of categories:
o www.fortiguard.com

311
How Does It Work?

URL: URL categories

www.example.com
Categories action:
Proxy-Based Flow-Based Flow-Based
(Profile) (Policy)

Allow Allow Firewall policy

Security Profiles > Web Filter action
Block Block

Monitor Monitor

Warning

Authenticate

312
Web Filter FortiGuard Category Action–Warning
• Category Action =

• Exclusive for web filtering

o Proxy mode only
o Not available in:
• Static URL filtering feature
• DNS filter profile

• FortiGuard warning page

o Customizable warning interval

313
 Web Filter FortiGuard Category Action–Authenticate
Security Profiles > Web Filter
WebFilter_Group 1. Define Users and Group.
2. Set Action = Authenticate.
3. Select User Group.

www.youtube.com

314
Web Rating Override
• Override the rating applied to a host name by FortiGuard service
o Host name reassigned to a completely different category and uses that action
o Rating overrides are checked prior to contacting FortiGuard for a rating

• Override applies to FortiGate device only

o Changes are not submitted to FortiGuard subscription services

• Host names only

o google.com
o www.google.com
o www.google.com/index.html
o google.*

315
Web Rating Override–Configuration
• Changes a website category, not the category action
o Make an exception

Security Profiles > Web Rating Overrides

316
Custom Categories
• Additional customized
Security Profiles > Web Rating Overrides
categories can be added

• Categories in use cannot

be deleted

317
 URL Filtering
Security Profiles > Web Filter
URL: www.somesite.com/someurl
Block
• Check against configured URLs in
URL filter
o Entries are checked from top to bottom
• Four possible actions:
o Allow: Access is permitted. Traffic is
passed to remaining operations, including
FortiGuard web filter, web content filter,
web script filters, and antivirus scanning.
o Block: Attempts are denied. User given a
replacement message.
o Monitor : Traffic is allowed through. Log
entries are created. Also subject to all other
security profile inspections.
o Exempt: Allows traffic from trusted sources
to bypass all security inspections.
• Types of URL patterns:
o Simple, wildcards, or regular expressions
318
FortiGuard Rating Submissions
• Request to re-evaluate a website’s rating:
System > FortiGuard

• Request for a website rating: www.fortiguard.com

319
Additional Proxy-Based Web Filtering Features
Objectives
• Configure usage quotas
• Configure web profile overrides
• Configure web filter to support search engines
• Configure web content filtering
FortiGuard Quotas
• Can only apply to the actions: • Configuration:
o Monitor, Warning, or Authenticate Security Profiles > Web Filter

• Assign quota for each source IP or for

each user, if authentication is enabled

• Dedicated monitor feature

• Monitor:

Monitor > FortiGuard Quota

321
FortiGuard Usage Quotas

Category: Games
“Games” Quota
• Allow specific categories for a period of time
• Separate time for quotas
o Can be configured separately, or as a group
• 5 minutes: Advertising
“Games” Quota • 20 minutes: Streaming Media
o Only apply to categories with actions:
• Monitor, Warning, or Authenticate

“Games” Quota

322
Fortinet Bar
• Only supported for HTTP
Security Profiles > Proxy Options
• Provides direct feedback to users
• Related to security profiles
o FortiGuard quota, application control, and so on
• A proxy option profile setting
o Default communication port: 8011

323
Web Profile Overrides
Security Profiles > Web Filter
• Override web filter profile for:
o User
o User group
o Source IP
Security Profiles > Web Profile Overrides
• Requires authentication
o FortiGuard block page link

• Customize override expiration

324
 Search Engine Filtering
• Requires FortiGate to use deep SSL
Security Profiles > Web Filter
inspection
o Not supported when using certificate inspection
o FortiGate requires full access to the application layer
data
• Restricts websites or images from search
results
#config webfilter profile
o Rewrites the search URL to enable safe search
#edit default
• For Google, Yahoo, Bing, and Yandex # config web
# set safe-search url
• Restricts YouTube access # set safe-search header
o Available in proxy-based inspection mode # end
o Set for strict or moderate access control #end
o For more information, go to support.google.com
• Logs all search keywords

325
Web Content Filtering
• Requires FortiGate to use SSL deep inspection
• Controls access to web pages containing specific patterns
• Scans the content of every website accepted by security policies
• Matches content from wildcards or Perl regular expressions
• The maximum number of web content patterns in a list is 5000
• Actions: Security Profiles > Web Filter

o Exempt
o Block

326
 Advanced Web Filter Settings
• Rating options:

3
1 Block HTTP redirects
Allow access to websites that Security Profiles > Web Filter because the may circumvent
return a rating error from the web filtering.
FortiGuard Web Filter service.

4
2 Retrieve ratings for
Add additional security. The URL individual images in
and IP address are rated addition to websites
separately. (GIF, JPEG, PNG, BMP,
and TIFF).

327
 Advanced Web Filter Settings
• Proxy options:
Security Profiles > Web Filter

1
Restrict Google account usage to
specific domains by configuring the
Google domains you want to allow.

2 FortiGate displays a detailed

replacement message for 400-
series and 500-series HTTP errors.

3 Limit users from sending information 4 Filter ActiveX, Java Applets, and
and files to websites.
Cookies from web traffic.

328
DNS Filtering
Objectives
• Apply a DNS filter
DNS-Based Web Filtering
• Uses FortiGuard SDNS ratings of DNS queries to decide access
• FortiGate must use FortiGuard SDNS service for DNS lookups
o DNS queries redirected to FortiGuard SDNS server
• Lightweight
o Lacks the precision of HTTP filtering
• SSL inspection never required
o DNS is plain text
• Cannot inspect a URL, only a host name
o DNS resolves host name
• Supports URL filtering and FortiGuard category only

330
When Does Filtering Activate?

www.acme.com

Filtering is based on
DNS Request (8.8.8.8) DNS Request (8.8.8.8) responses
DNS Request (FortiGuard SDNS)
• DNS Filter:
o nameserver

DNS Response (Override) DNS Response (FortiGuard SDNS)

DNS Filter DNS Response (8.8.8.8)

331
DNS Filter
• DNS filter settings:
o Enable and disable FortiGuard category
based filter Security Profiles > DNS Filter
o Enable and disable static domain filter
o Block DNS request to known botnet
command and control
o Allow access when rating error occurs
o Redirect blocked requests to a specific
portal

• Apply profile to firewall policy

332
 How Does It Work?
# config system fortiguard
# set sdns-server-ip "208.91.112.220"
# end

URL: Categories action:

www.example.com DNS categories
Proxy-Based Flow- Flow-Based DNS
Based (Policy) Based
(Profile)
Allow Allow firewall Allow
policy
Security Profiles > DNS Filter action
Block Block Block

Monitor Monitor Monitor

Warning

Authenticate

333
Static Domain Filter
• Inspects DNS requests
• Actions to DNS requests
o Block, allow, monitor, or exempt
• Patterns Security Profiles > DNS Filter
o Simple, wildcards, and regex

334
 DNS–Botnet Command and Control Database
System > FortiGuard
• Block botnet command and control
o Imports FortiGuard botnet database
o Requires FortiGuard antivirus license
o Requires FortiGuard web filter license for DNS
filtering

Security Profiles > DNS Filter

335
Best Practices and Troubleshooting
Objectives
• Understand HTTP inspection order
• Troubleshoot filter issues
• Investigate FortiGuard connection issues
• Apply web filter cache best practices
• Monitor logs for web filtering events
HTTP Inspection Order

EXEMPT
(from ALL further inspection)

Exempt

FortiGuard
Static URL Advanced
URL Category Display Page
Filter Filters
Allowed Filter Allowed Allowed
Block Block Block

Block Page Block Page Block Page

337
Apply the Filters
• It’s not working? Why?
o Did you apply the security profiles to the firewall policies? config firewall policy
o Did you apply the SSL inspection profile, if needed? edit 1
o Is FortiGuard SDNS service accessible for DNS filters? set dnsfilter-profile <profile>
set webfilter-profile <profile>
next
Policy & Objects > IPv4 Policy end

config firewall profile-group

edit <group name>
set dnsfilter-profile <profile>
set webfilter-profile <profile>
next
end

338
FortiGuard Connection
• FortiGuard category filtering requires a live connection
• Weight Calculation: default = (difference in time zone) x 10
o Goes down over time (never below default)
o Goes up if packets are lost

Local # diagnose debug rating

Locale : english
License : Contract
-=- Server List (Tue Jun 7 10:41:32 2017) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost

96.45.33.65 0 72 -8 868 0 114
96.45.33.64 0 72 -8 868 0 114
208.91.112.196 0 106 DI -8 859 0 80
208.91.112.198 0 118 D -8 867 0 32
64.26.151.37 30 17 -5 769 0 1

339
Web Filter Cache
• Improves performance by reducing requests to FortiGuard
• Cache is checked before sending a request to the FortiGuard server
o FortiGate remembers response of visited websites
o TTL settings control the number of seconds the query results are cached
o Request is considered a rating error after timeout (15 seconds as default)
• UDP ports 53 or 8888 for FortiGuard or FortiManager communications
• Enabled by default – default TTL is 60 minutes (3600 seconds)
System > FortiGuard

config system fortiguard

set webfilter-cache [ enable | disable ]
# set webfilter-cache-ttl < 300-86400 >
# set webfilter-timeout < 1-30 >
end

340
Web Filter Log
• Record HTTP traffic activity, such as:
o Action, profile used, category, URL, quota info, and so on
Log & Report > Web Filter

date=2018-01-18 time=10:20:04 logid="0317013312" type="utm" subtype="webfilter"

eventtype="ftgd_allow" level="notice" vd="root" logtime=1516299603 policyid=1
sessionid=1839 srcip=10.0.1.10 srcport=56542 srcintf="port3"
srcintfrole="undefined" dstip=205.250.85.48 dstport=80 dstintf="port1"
dstintfrole="undefined" proto=6 service="HTTP"
hostname="detectportal.firefox.com" profile="default" action="passthrough"
reqtype="direct" url="/" sentbyte=367 rcvdbyte=0 direction="outgoing" msg="URL
belongs to an allowed category in policy" method="domain" cat=52
catdesc="Information Technology"

341
Review
✓ Describe FortiOS inspection
modes
✓ Implement full SSL inspection
✓ Describe web filter profiles
✓ Work with web filter categories
✓ Configure web filter overrides
✓ Configure custom categories
✓ Submit a FortiGuard rating
request
✓ Configure usage quotas
✓ Configure web profile overrides
✓ Configure web filter to support
search engines
✓ Configure web content filtering
✓ Apply DNS filter
✓ Configure SSL/SSH inspection
profiles
✓ Exempt traffic from SSL inspection
✓ Apply SSL inspection profile to a
firewall policy
✓ Monitor logs for web filtering events
FortiGate Security
Application Control

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Application Control Basics

Application Control Configuration

Logging and Monitoring Application Control Events

Best Practices and Troubleshooting

344
Application Control Basics
Objectives
• Understand application control
• Detect types of applications
• Understand the FortiGuard application control services database
• Use application control signatures
What is Application Control and How Does It Work?
• Detects and acts on network application traffic
o Facebook, Skype, Gmail, LogMeIn, and so on
o Supports many applications and categories, including P2P and proxy
o Can scan secure protocols
• Requires SSL/SSH inspection profile in the firewall policy

• How does it work?

o Uses the IPS engine
o Flow-based scan (not proxy-based)
o Compares traffic to known application patterns
• Only reports packets match for an enabled pattern
• Can detect even if users try to circumvent through an external proxy

346
Detecting Peer-to-Peer Applications
• Why is peer-to-peer (P2P) traffic so difficult to detect?
o Traditional protocols (HTTP, FTP) have a client-server architecture.
• It uses a single server with large bandwidth for many clients.
• It requires predictable port numbers, NAT/PAT, and firewall policies.
o Peer-to-peer protocols (BitTorrent, Skype) have a distributed architecture.
• Each peer is a server with small bandwidth to share.
• It is difficult to manage multiple firewall policies to block them.
• It does not depend on port forwarding.
• It uses evasive techniques to bypass these limitations.

347
Client-Server Architecture
• Traditional download
o One client
o One server
o Known port number
o Easily blocked by firewall policies

348
Peer-to-Peer Architecture
• Peer-to-peer (P2P) download
o One client
o Many servers
o Dynamic port numbers
o Optionally, dynamic encryption
o Hard to block with traditional firewalls
• Requires more sophisticated scanning

349
Application Control Signatures
• Application control is now a free service
o The database of application control signatures is separate from the IPS database.

System > FortiGuard

Currently installed application

control database version

System > FortiGuard Push updates can also be enabled

Configuring scheduled updates

Forcing FortiGate to check for latest updates

350
Application Control Database
• Complete list of applications supported by FortiGuard application control can be
viewed on http://fortiguard.com/
o You can review the application category or request a signature for a new application from the
same website.

Refine
search using
filters

351
Hierarchical Structure
• Application control signatures are organized in a hierarchical structure.
o The parent signature takes precedence over the child signature.

Social
Media Audio/Video

Facebook LinkedIn YouTube

Facebook_Chat Facebook_Apps LinkedIn_Message YouTube_Video.Play

352
Application Control Configuration
Objectives
• Configure application control in profile mode
• Configure application control in next generation firewall (NGFW) policy mode
• Use the application control traffic shaping policy
Application Control Profiles
• Configured when a FortiGate or a VDOM is operating in:
o Flow-based with NGFW mode set to profile-based or proxy-based inspection mode
• Use flow-based scanning techniques in both inspection modes
• Allow you to filter application traffic based on:
o Categories
• Similar applications are grouped together
• Can view application control signatures for that category
• Can configure actions for predefined categories
o Application overrides
• Allows you to configure actions for specific signatures or applications
o Filter overrides
• Provides a more flexible way to create application categorization based on behaviour, popularity, protocol,
risk, and so on

• Must be applied to a firewall policy

354
Configuring an Application Control Profile
• The application control profile is available only in flow-based with NGFW mode set
to profile-based inspection mode and proxy-based inspection mode.
Security Profiles > Application Control

Displays list of
application control
Applies an action to all signatures
categories at once

Matches traffic to
unidentified applications

355
Configuring Additional Options
• Application control profiles include additional options
Security Profiles > Application Control

The number to the right of the cloud

symbol indicates the number of
cloud applications in the category.

356
Scanning Order
Security Profiles > Application Control
• The IPS engine identifies the
application.
• Application control profile scans
for matches in this order: 3
1. Application overrides
2. Filter overrides
3. Categories
1

357
Order of Scan and Blocking Behavior
1. Application Overrides: Battle.Net and Dailymotion applications are set to Monitor.
2. Filter Overrides: Excessive bandwidth consuming applications are set to Block.
o Will contain applications from different categories – BitTorrent (P2P), Adobe.Update (Update),FaceTime
(VOIP), Flickr (Social.Media)
3. Categories: Game and Video/Audio categories are set to Block and all other categories set to
Monitor. Security Profiles > Application Control

2
358
Actions
• Allow
o Continue to next scan or feature and do not log
• Monitor
o Allow but log
• Good for the initial study of your network traffic

• Block ..
o Drop packets and log
View the list of
• Quarantine signatures of native or
o Block and log traffic from attacker IP address until the expiration time cloud applications for
a specific category.
• Can set duration to days, hours, or minutes

359
Applying an Application Control Profile
• Application control profile must be applied on a firewall policy to scan the passing
traffic
o SSL/SSH Inspection profile must also be selected
Policy & Objects > IPv4 Policy

Use deep-inspection profile to

scan encrypted traffic.

360
Block Page
• Application control in profile
mode will display similar HTTP
block pages
• HTTP block page includes:
o Category
o Website host and URL
o Source and destination IP
o User name and group (if
authentication is enabled)
o Policy UUID
o FortiGate host name

361
NGFW Policy-Based Mode
• Available in flow-based inspection mode only
• Application control is configured directly on the firewall policy
o Cannot configure application control profile
• Same SSL/SSH inspection profile must be used for all firewall policies
• Requires the use of central SNAT policy

System > Settings

Same SSL/SSH
Inspection profile must
be used for all firewall
policies

362
NGFW Policy Mode
• You can select applications or Policy & Objects > IPv4 Policy
application categories directly
on a firewall policy.
• The ACCEPT or DENY actions
List is searchable
can be applied to allow or block
selected application traffic.
• If a URL Category is set, then
applications that are added to
the policy must be within the
browser-based technology
category.
• AntiVirus, DNS Filter, and IPS
security profiles can also be
applied to a firewall policy with
the action set to ACCEPT.

363
How Does NGFW Policy-Based Filtering Work?
• It is a three step process:
o Step 1 – Allow all applications until they can be identified:
• Uses only the IPv4 header information to match the policy
• Accepts the traffic
• Creates an entry in the session table with the may_dirty flag
• Forwards all the packets to the IPS engine for inspection
o Step 2 – As soon as the IPS engine identifies the application, it adds to the session:
• dirty flag - instructs the kernel to re-evaluate session entry
• valid_app flag - indicates that IPS engine has validated the traffic
• Application ID
o Step 3 – The dirty flag instructs the kernel to look up the firewall policy again:
• This time the kernel uses the layer 4 headers and the layer 7 information to match the traffic
• The action configured in the firewall policy is applied to the identified application traffic

364
Configuring App Control in Policy-Based Mode
Policy & Objects > IPv4 Policy

365
Central SNAT Policy
Policy & Objects > IPv4 Policy

Must use Central

SNAT policy!

366
 NGFW Policy Matching
• Based on the configuration shown in the screenshot:
o Facebook, Flickr, Google.Plus, Instagram, and Pinterest application traffic will be blocked by policy
sequence 2.
o All other Social.Media (for example, LinkedIn) application traffic will be allowed by policy sequence
3.
o All applications that belong to the P2P application category will be blocked by policy sequence 4.
o All other traffic and applications will be allowed by policy sequence 5.
Policy & Objects > IPv4 Policy

367
Application Control Traffic Shaping
• Granular control of bandwidth usage
• Some traffic can’t be distinguished by port number / IP
o Example: YouTube video URLs – don’t say whether it is a text comment or a video
https://www.youtube.com/watch?v=eO2vyJDoP3M
• Only traffic that matches the signature is shaped
o Won’t interfere with other apps on same port/protocol
o Useful for managing bandwidth-intensive apps

Total: 1,536 Kbps

Video: 1,400Kbps

Other applications: 136Kbps

368
Configuring the Traffic Shaping Policy
• Must ensure matching criteria Policy & Objects > Traffic Shaping Policy
aligns with the settings in your
firewall policy
• Firewall policy must allow the traffic that
you wish to control bandwidth of.

• Can shape traffic for application

control based on:
o Application category
o Application

Used for web filtering

369
Logging and Monitoring Application Control
Objectives
• Enable application control logging events
• Monitor application control events
• Use FortiView to see a detailed view of application control logs
Enabling Application Control Logging
• Example of NGFW policy-based mode firewall policies
All attempts to access
All attemps
these applications
to access
will
Policy & Objects > IPv4 Policy be blocked and logged.

Access
All Attempts
to P2P applications
to access
will these
be blocked,
applications
howeverwill
attempts
blockedwilland
not logged.
be logged.

371
Logging Application Control Events
• All application control events are logged in the Application Control pane on the Log &
Report page.
Log & Report > Application Control

372
Application Control Events in FortiView
• Application control events are saved in FortiView on the Applications and Cloud
Applications pages.
o Requires disk logging
FortiView> Applications

373
Best Practices and Troubleshooting
Objectives
• Recognize best practices for application control configuration
• Understand how to troubleshoot application control update issues
Best Practices for Application Control
• Apply application control to only the traffic that requires it.
o Specify subnets (source, destination, or both) within the firewall policy, whenever possible.
o Don’t apply application control to internal-to-internal traffic.
• If using load balancing or failover Internet connections, apply identical application
control on all load balancing or redundant firewall policies.
• Select Deep-Inspection instead of Certificate-based inspection as the SSL/SSH
inspection method.
• Use a FortiCloud account to save and view application control events in FortiView.
o FortiGate devices that don’t have an internal disk for logging require FortiCloud logging to use
FortiView.
• Use hardware acceleration for application signature matching.

375
Application Control Troubleshooting
• If FortiGuard has update issues, make sure that:
o FortiGate has a stable connection to the Internet.
o FortiGate is able to resolve DNS (update.fortinet.com).
o TCP port 443 is open.
• Force FortiGate to check for new application control updates.
execute update-now

• Verify that the application control signatures database version is up-to-date with the
FortiGuard website.
System > FortiGuard

376
Review
✓ Understand application control
✓ Detect types of applications
✓ Understand FortiGuard application control services
✓ Use application control signatures
✓ Configure application control in profile mode
✓ Configure application control in NGFW policy mode
✓ Use the application control traffic shaping policy
✓ Enable application control logging events
✓ Monitor application control events
✓ Use FortiView to see a detailed view of application control logs
✓ Recognize best practices for application control configuration
✓ Understand how to troubleshoot application control update issues
FortiGate Security
Intrusion Prevention and Denial of Service

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Intrusion Prevention System

Denial of Service

Web Application Firewall

Best Practices

Troubleshooting

379
Intrusion Prevention System (IPS)
Objectives
• Differentiate between exploits and anomalies
• Identify the different components of an IPS package
• Manage FortiGuard IPS updates
• Select an appropriate IPS signature database
• Configure an IPS sensor
• Identify the IPS sensor inspection sequence
• Apply IPS to network traffic
Why use IPS?
• Increased volume and
sophistication of attacks on
organizations
o Driven by previously successful
high-profile hacks and a highly
profitable black-market demand
for stolen data
• More attacks against client
and cloud applications
o Attacks are no longer targeted
only at servers and server-based
applications
• BYOD and remote workers
increase risk of exposure
See attacks happening in real time around the world on the FortiGuard
Labs live threat map.

381
Exploits and Anomalies
Exploit Anomaly
• A known, confirmed attack • Can be zero-day or denial of service
• Detected when a file or traffic matches attacks (DoS)
a signature pattern: • Detected by behavioral analysis:
o IPS signatures o Rate-based IPS signatures
o WAF signatures o DoS policies
o Antivirus signatures o Protocol constraints inspection
• Example: • Example:
o Exploit of known application vulnerabilities o Abnormally high rate of traffic (DoS/flood)

382
IPS
• Flow-based detection and blocking
o Known exploits that match signatures
o Network errors and protocol anomalies
• IPS components
o IPS signature databases
o Protocol decoders
o IPS engine
• Application control
• Antivirus (flow based)
• Web filter (flow based)
• Email filter (flow based)
• Data leak prevention (DLP) (flow-based in one-arm sniffer mode)

383
What Are Protocol Decoders?
• Decoders parse protocols.
• IPS signatures find parts of a protocol that don’t conform.
o For example, too many HTTP headers, or a buffer overflow attempt
• Unlike proxy-based scans, IPS often does not require IANA standard ports.
o Automatically selects decoder for protocol at each OSI layer

Meets protocol
requirements and
standards?

384
FortiGuard IPS Updates
System > FortiGuard
• IPS packages are updated by
FortiGuard.
o IPS signature databases
o Protocol decoders
o IPS engine
• Regular updates are required to
ensure IPS remains effective.
• Enable push updates to receive System > FortiGuard
updates as they become
available.

385
Choosing the Signature Database
• Regular
o Common attacks with fast, certain identification (default action is block)
• Extended
o Performance-intensive

System > FortiGuard

386
 List of IPS Signatures
Security Profiles > Intrusion Prevention

Active signature
database

Default action

387
 Configuring IPS Sensors
• Add individual signatures
• Add groups of signatures using filters

Security Profiles > Intrusion Prevention

388
Configuring IPS Sensors
• Add rate-based signatures to block traffic when the threshold is exceeded during a
time period
o Track the traffic based on source or destination IP address

Security Profiles > Intrusion Prevention

389
IPS Sensor Inspection Sequence
Security Profiles > Intrusion Prevention

Individual signature actions

will override any filter-based
action.

390
Configuring IP Exemptions
• Exempt specific source or destination IP addresses from specific signatures
• Only configurable under individual IPS signatures

Security Profiles > Intrusion Prevention

391
IPS Actions
• Choose what action to take when a signature is triggered

Security Profiles > Intrusion Prevention

392
Applying IPS Inspection
• Add IPS sensors as security profiles to firewall policies
Policy & Objects > IPv4 Policy

393
IPS Logging
Log & Report > Intrusion Prevention

394
Denial of Service (DoS)
Objectives
• Identify a DoS attack
• Configure a DoS policy
DoS Attacks
• Attacker’s sessions consume all resources—RAM, CPU, port numbers
• Slows down or disables the target until it can’t serve legitimate requests

Attacker overloads server

with HTTP requests

Internet

Legitimate requests can’t

get through and fail

396
DoS Policy
• DoS policies apply the action when the configured threshold is exceeded
o Half-open connections, source address, destination address, ports, and so on
• Multiple sensors can detect different anomalies Policy & Objects > IPv4 DoS Policy

DoS policy

Internet

397
Types of DoS Attacks
• TCP SYN flood
o Attacker floods victim with incomplete TCP/IP connection requests
o The victim’s connection table becomes full, so legitimate clients can’t connect
• ICMP sweep
o Attackers sends ICMP traffic to find targets
o Attacker then attacks hosts that reply
• TCP port scan
o Attacker probes a victim by sending TCP/IP connection requests to varying destination ports
o Based on replies, attacker can map out which services are running on the victim system
o Attacker then targets those destination ports to exploit the system

398
Types of DoS Attacks
• Distributed DoS
o Many of the same characteristics of an individual DoS attack
o However, attack originates from multiple sources

399
DoS Policy Configuration
Policy & Objects > IPv4 DoS Policy
• Can apply multiple DoS policies to
any physical or logical interface
• Types
o Flood
• Detects a large volume of the same type of
traffic
o Sweep/scan
• Detects probing attempts
o Source (SRC)
• Detects a large volume of traffic from an
individual IP
o Destination (DST)
• Detects a large volume of traffic destined for
an individual IP

400
Web Application Firewall (WAF)
Objectives
• Identify the purpose of WAF on FortiGate
• Identify common web attacks
• Configure a WAF profile
WAF
• Websites are attractive targets for hackers
• FortiGuard web filtering is for clients, not servers
• WAF provides protection for web services System > Feature Visibility

System > Settings

Available only in
proxy inspection
mode.

402
Example of a Web Attack–Cross-Site Scripting
1. An attacker inputs JavaScript in an HTML form/parameter.
2. The web app does not reject illegal input.
3. Usually, the web app saves the input to a database.
4. An innocent client requests a page that is retrieved from the database. The page:
o Now includes malicious script
o Can cause client’s browser to transmit to third-party, malicious server

• The variety of attacks based on cross-site scripting (XSS) is limitless, but they
commonly include transmitting private data like authentication cookies or other
session information to the attacker.

403
Example of a Web Attack–SQL Injection
• SQL statements are inserted into entry fields of a web application
• The web application doesn’t reject illegal input
• When the web application connects to the database to add input, it can:
o Download sensitive data from the database (select * from USERS)
o Modify database (insert/update/delete)
o Perform administrative operations (close management interface)

404
WAF Configuration
Security Profiles > Web Application Firewall
Policy & Objects > IPv4 Policy

405
FortiWeb
• Provides more specialized web server protection
• More complete protocol understanding
• HTTP state attack protection
• HTTP vulnerability scans/penetration tests
• HTTP rewriting and application delivery (basic ADC)
• Better performance for high HTTP traffic

406
FortiGate-FortiWeb Integration
• FortiWeb installed standalone (online or offline), usually behind FortiGate

• FortiGate configured to forward HTTP traffic to FortiWeb for inspection

Security Fabric > Settings

407
Best Practices
Objectives
• Identify the IPS implementation methodology
• Enable full SSL inspection for IPS-inspected traffic
• Identify hardware acceleration components for IPS
IPS Implementation
• Analyze requirements
o Not all policies require IPS
• Start with the most business-critical services
o Avoid enabling IPS on internal-to-internal policies
• Evaluate applicable threats
o Create IPS sensors specifically for the resources you want to protect
• Maintain IPS continuously
o Monitor logs for anomalous traffic patterns
o Tune IPS profiles based on observations

409
Full SSL Inspection
• Enable a full SSL inspection profile to ensure you’re inspecting encrypted traffic
Security Profiles > SSL/SSH Inspection Policy & Objects > IPv4 Policy

410
 Hardware Acceleration
• FortiGate models with NP4, NP6, and SoC3 can benefit from NTurbo acceleration
(np-accel-mode).
• FortiGate models that have a CP8 or CP9, support offloading of IPS pattern
matching to the content processor (cp-accel-mode).

fgt # get hardware status # config ips global

Model name: FortiGate-300D # set np-accel-mode [ basic | none ]
ASIC version: CP8 # set cp-accel-mode [ basic | advanced | none ]
ASIC SRAM: 64M # end
CPU: Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
Number of CPUs: 4 np-accel-mode
RAM: 7996 MB
Compact Flash: 15331 MB /dev/sda
o basic: offloads IPS processing to NP
Hard disk: 114473 MB /dev/sdb cp-accel-mode
USB Flash: not available
Network Card chipset: Intel(R) Gigabit Ethernet o basic: offloads basic IPS pattern matching to CP8 or
Network Driver (rev.0003) CP9
Network Card chipset: FortiASIC NP6 Adapter (rev.) o advanced: offloads more types of IPS pattern matching
• Only available in units with two or more CP8s or one or
more CP9s

411
Troubleshooting
Objectives
• Troubleshoot FortiGuard IPS updates
• Troubleshoot IPS high-CPU usage
• Manage IPS fail-open events
• Investigate false-positive detection
FortiGuard IPS Troubleshooting
• All IPS update requests are sent to update.fortiguard.net on TCP port 443
o Can be configured to connect through a web proxy (CLI only):
• config system autoupdate tunneling
o Even when connecting through a web proxy, FortiGate needs DNS resolution for
update.fortiguard.net

• Verify update status in GUI

System > FortiGuard

Hover over the

version information
for last update
timestamp

• Enable real-time debug in CLI

# diagnose debug application update -1 After enabling real-time
# diagnose debug enable debugging, force a
manual update of all
# execute update-now FortiGuard packages.

413
IPS and High-CPU Use
# diagnose test application ipsmonitor ?

1: Display IPS engine information

2: Toggle IPS engine enable/disable status Shuts down IPS engine
3: Display restart log completely
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now IPS engine remains active,
but does not inspect traffic
10: IPS queue length
11: Clear IPS queue length
12: IPS L7 socket statistics
13: IPS session list
14: IPS NTurbo statistics
15: IPS A statistics
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor

414
IPS Fail Open
• Fail open is triggered when the IPS socket buffer is full and new packets can’t be
added for inspection.
# config ips global
# set fail-open <enable|disable>
# ...
# end

• IPS fail open entry log:

date=2017-09-21 time=09:07:59 logid=0100022700 type=event subtype=system
level=critical vd="root" logdesc="IPS session scan paused" action="drop"
msg="IPS session scan, enter fail open mode"
• When troubleshooting IPS fail open events, try to identify a pattern.
o Has the traffic volume increased recently?
Packets
o Does fail open trigger at specific times during the day? dropped!
• Create IPS profiles specifically for the traffic type.
o An IPS sensor configured to protect Windows servers doesn’t need Linux signatures.
o Disable IPS on internal-to-internal policies.

415
False-Positive Detection
• Check the logs to determine which
signature is triggering the false-
positive.
• Use IP exemptions on the
signature as a temporary bypass
for the affected endpoints.
• Collect samples of the traffic:
o Use the Packet Logging action.
• Provide the traffic samples and the
IPS logs to the FortiGuard team for
further investigation.

416
Review

✓ Manage FortiGuard IPS updates

✓ Configure an IPS sensor
✓ Apply IPS to network traffic
✓ Identify a DoS attack
✓ Configure a DoS policy
✓ Identify common web attacks
✓ Configure a WAF profile
✓ Identify IPS implementation methodology
✓ Troubleshoot common IPS issues
FortiGate Security
SSL-VPN

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Progress

Describe SSL-VPN

SSL-VPN Deployment Modes

Configuring SSL-VPNs

Realms and Personal Bookmarks

Hardening SSL-VPN Access

Monitoring and Troubleshooting

419
Describe SSL-VPN
Objectives
• Define a virtual private network (VPN)
• Describe the differences between SSL-VPN and IPsec VPN
What are VPNs?
• A VPN extends a private network across a public network.
• Securely connect remote LANs and devices
o Employees who travel
o Branch offices to servers at a central office
• Safely transmit private data across the Internet
o Tamper-proof
• Attackers can’t change a message or file.
o Encrypt
• Unauthorized users can’t eavesdrop.
o Authenticate
• Only known users can access
the private network.

Public Network Private Network

421
Comparing SSL-VPN and IPsec VPN
SSL-VPN IPsec VPN
Tunnel • HTTPS tunnel • IPsec tunnel
type: o SSL/TLS layer o ESP layer

• FortiClient and FortiGate

• FortiGate and FortiGate
Can be • Browser and FortiGate • FortiGate and compatible SSL
between: • FortiClient and FortiGate third-party IPsec VPN gateway
• FortiGate and compatible
third-party IPsec VPN clients IPsec

• HTTPS web page on • IPsec client

Log in FortiGate o Site-to-site doesn’t require
through: • FortiClient IPsec client
o fortissl virtual adapter

422
 Comparing SSL-VPN and IPsec VPN (Cont’d)

SSL-VPN IPsec VPN

Category: • Vendor specific • Industry standard

• Does not require installation • Requires installation

• Simpler setup • Flexible setup SSL
o Only client-to-FortiGate o Mesh and star topologies
Set up: o No user-configured o For clients or peer gateways
settings o Performance based: IPsec
o Technical support less encryptography is faster in IPsec
requested FortiOS

Better • Better for users, Internet • Office-to-office traffic

for: cafés, libraries, and so on • Data centers

423
SSL-VPN Deployment Modes
Objectives
• Describe the differences between SSL-VPN modes
SSL-VPN Deployment Modes
VPN > SSL-VPN Portals
• Tunnel mode
o Accessed through a standalone client
o Requires a virtual adapter on the client’s
host

• Web mode
o Requires only a web browser
o Supports a limited number of protocols:
• Citrix, FTP, HTTP/HTTPS, Port Forward,
RDP, SMB/CIFS, SSH, Telnet, VNC, and
Ping config vpn ssl web portal
edit <portal-name>
set tunnel-mode [enable|disable]
set web-mode [enable|disable]
end

425
Web Mode
• Connect to FortiGate’s SSL-VPN portal from
any browser.
o The web portal displays the status of SSL-VPN.
o The SSL-VPN stays up only while the SSL-VPN
portal page is open.
• Access internal network resources easily
using:
o Bookmarks
o Quick connection
• Disadvantages:
o Interaction with the internal network exclusively by
browser
• Through the SSL-VPN portal
• External network applications cannot send data across
the VPN.
o Limited number of protocols supported
426
Web Mode (Cont’d)
1. Remote users connect to the SSL-VPN portal—HTTPS web page on FortiGate.
2. Users authenticate.
3. Users access resources through the Quick Connection launcher or Bookmarks.
User’s source IP is replaced by
FortiGate’s internal IP address

427
Tunnel Mode
• Connect to FortiGate through FortiClient.
o Tunnel is up only while the SSL-VPN client is connected.
o FortiClient adds a virtual network adapter called fortissl.
• FortiGate establishes the tunnel.
o Assigns a virtual IP address to the client from a pool of reserved addresses.
o All traffic is encapsulated with SSL/ TLS.
• Advantage:
o Any IP network application on the client can send traffic through the tunnel.
• Disadvantage:
o Requires the installation of a VPN client.
http://www.forticlient.com/

428
Tunnel Mode
1. Remote users connect to the SSL-VPN gateway through the SSL-VPN client.
2. Users authenticate.
3. The virtual adapter creates the tunnel.
4. Users access resources through an encrypted tunnel (SSL/TLS).

User traffic source IP address is assigned by FortiGate, like IPsec.

SSL-VPN Tunnel

429
Tunnel Mode – Split Tunneling
• Disabled:
o All traffic routes through an SSL-VPN tunnel to a remote FortiGate, then to the destination. This
includes Internet traffic.
o An egress firewall policy is required.
o Traffic inspection and security features are applied.
• Enabled:
o Only traffic destined for the private network is routed through the remote FortiGate.
o Internet traffic uses the local gateway; unencrypted route.
o Conserves bandwidth and alleviates bottlenecks.

SSL-VPN Tunnel

Split tunneling enabled Split tunneling disabled

430
Configuring SSL-VPNs
Objectives
• Define authentication for SSL-VPN users
• Configure SSL-VPN portals
• Configure SSL-VPN settings
• Define firewall policies for SSL-VPNs
Configuring SSL-VPN
1. Set up user accounts and groups for remote SSL-VPN users.

2. Configure SSL-VPN portals.

3. Configure SSL-VPN settings.

4
4. Create a firewall policy to and from the SSL-VPN interface. 5
o Accepts and decrypts packets.
o Allows traffic from SSL-VPN clients to the internal network and the
reverse.

Optionally:
2
5. Create a firewall policy to allow SSL-VPN traffic to the Internet. 3
o Useful to allow all clients’ traffic through FortiGate to Internet when split 1
tunneling is disabled.
o FortiGate can be used to apply security profiles.

432
Step 1: Set Up User Accounts and Groups
1. Define user accounts and groups.
2. Configure SSL-VPN authentication methods:
o Local password authentication
o Remote password authentication or server-based 1
authentication such as LDAP, RADIUS, TACACS+
o Two-factor authentication
• Better security than just passwords

User name with password Token code

(one factor) (two factor)

433
Step 2: Configure the SSL-VPN Portal
VPN > SSL-VPN Portals

Tunnel Mode

• SSL-VPN portals determine the access profiles.

o Configure portals for different user or groups.
• SSL-VPN portals can operate in:
o Tunnel mode Web Mode
• Activate split tunneling, requires Routing Address
• Source IP Pools assigns an IP address to the end-user
virtual network adapter: fortissl
Admin-defined bookmarks
o Web mode
• Use direct connection or bookmarks to several
applications such as: Citrix, FTP, HTTP/HTTPS, Port
Forward, RDP, SMB/CIFS, SSH, TELNET, VNC.
434
Example: SSL-VPN Portal
https://<FortiGateIP>:<port>/remote/login
• SSL-VPN Portal page
o Web mode only

• Widgets
o Bookmarks, predefined by admin
o Your Bookmarks, defined by
user
o Quick Connection, for users Admin-defined bookmarks

• History User’s bookmarks

o User logs

• Download FortiClient
o SSL-VPN client for connections in
tunnel mode

435
SSL-VPN Bookmarks
Allows you to transfer files Allows you to remotely control Allows the exchange of data
between the SSL-VPN client a computer. between two hosts, using a
and a remote host or server. secure channel.

Allows you to log in to a

remote host using your
Access websites computer as a virtual text-
only terminal.

Implements SMB protocol to Allows you to use SOCKS Allows you to connect remote
support file sharing between protocol for connecting Citrix SSL-VPN client’s applications
SSL-VPN client and a remote client to SSL-VPN port to remote application servers.
host/server. forward module.

436
Port Forwarding
• An extension of web mode that simulates tunnel mode 1 Configure Java applet

• When should you use it? 2 Point apps to applet at 127.0.0.1:X

o When you do not have administrative access to install FortiClient.

o When web mode does not support a required application or
protocol.

• How does it work?

3 Listens at X and S
S
1. Port forwarding requires a local proxy—Java applet. forwards traffic to L
-
• The Java applet set up does not require administrator or root privileges. application servers V
P
• Extends application supports. N

2. Configure applications to send IP traffic to the local proxy applet.

• The applet intercepts specific TCP port traffic and encrypts it.
• The applet redirects the packets to FortiGate’s SSL-VPN gateway.
3. FortiGate forwards the traffic to the application servers.
• As configured through port forwarding bookmarks

• Only supports applications with the static TCP port. Application servers
437
 Step 3: Configure SSL-VPN Settings
VPN > SSL-VPN Settings • FortiGate interface for SSL-VPN portal:
o Default port is 443
o By default, admin GUI interface and SSL-VPN
portal use same HTTPS port
• Advised to use different interfaces for admin GUI
access and SSL-VPN portal
• If both services use the same interface and port,
only the SSL-VPN portal appears.

• Restrict access to known hosts.

• SSL-VPN time out:
o Default idle: 300 sec (5 min)
• Digital server certificate:
o Self-signed certificate used by default
o To avoid browser security warnings, use a
certificate issued by a public CA, or install the
self-signed certificate on all clients.

438
Step 3: Configure SSL-VPN Settings (Cont’d)
• Define the IP range for the SSL-VPN. VPN > SSL-VPN Settings
o IPs are assigned to clients’ virtual
adapters while joined to VPN.
• Resolve names by DNS server.
o Use internal DNS if resolving internal
domain names.
o Optionally, resolve names by WINS
servers.
• Allow users to self-register.
o FortiGate sends FortiClient the IP
address and port for registration.
• Specify authentication portal
mapping.
o Specify portals for each user or group.
o Define portal for all other users or groups.
• It cannot be deleted.
439
Step 4: Firewall Policies to and From SSL-VPN interface
• Listens for connections to the Policy & Objects > IPv4 Policy
SSL-VPN portal.
• ssl.<vdom_name> policy
enables portal with user
authentication.
Add the user/groups
• The selected Incoming for SSL-VPN
authentication.
Interface is the SSL-VPN’s
virtual interface.
o Example: ssl.root for root VDOM Otherwise, users will
be denied
• Passes decrypted traffic to the permission.
selected Outgoing Interface.

440
 Example: Access to Internal Resources
• All traffic generated by the user exits through the ssl.<vdom_name> interface.
o Applies to both web and tunnel mode

edit 11 edit 12
set srcintf ssl.root set srcintf ssl.root
Database
set dstintf dmz set dstintf internal
12
internal
set srcaddr all set srcaddr all
set dstaddr Mail_Server set dstaddr Database
SSL-VPN
set action accept set action accept
wan1
Users: dmz set schedule always set schedule always
- Accountants
- Teachers 11 set service ALL set service ALL
Mail_Server set groups Accountants set groups Teachers
next next

441
Step 5: Create a Firewall Policy to Access the Internet
• Create a firewall policy to allow
Policy & Objects > IPv4 Policy
Internet access.
o From ssl.root to egress interface.

• Useful when split tunneling is

disabled.

• Apply security profiles to restrict

user access to the Internet.

442
Realms and Personal Bookmarks
Objectives
• Configure realms for the SSL-VPN portal
• Configure personal bookmarks for the SSL-VPN portal
How to Find Realms and Personal Bookmarks Settings
System > Feature Visibility • By default, all SSL-VPN users using
the same portal will see the same
bookmarks.

• Enable features for customizing

realms and user bookmarks:
o SSL-VPN Realms
o SSL-VPN Personal Bookmark

• By default, these features are hidden.

o To make the feature visible on the GUI,
click System > Feature Visibility.
o Displayed on the VPN menu.

444
 Configure Realms
• By default, all users connect to the same login page for SSL-VPN portal
o https://10.0.1.254:10443.

• Customize URLs for specialized portals (realms)

o https://10.0.1.254:10443/Accountants
o https://10.0.1.254:10443/Teachers
VPN > SSL-VPN Realms
Custom URL path
config vpn ssl web realm
Limit users edit Accountants
set max-current-users 500
Custom login page set login page <HTML content>
next
end

445
 Apply Realms
• In SSL-VPN Settings, apply realms in the Authentication/Portal Mapping.
o Customize portals for each user/group with realms.
VPN > SSL-VPN Settings 2
1 New option for realms

446
 SSL-VPN Personal Bookmarks
VPN > SSL-VPN Portals • Show user-added bookmarks through the
SSL-VPN web portal
SSL-VPN Portal (Web Mode) o Enable option on VPN > SSL-VPN Portal.
o These are not the admin-defined bookmarks.
• Administrators can:
o GUI: View and delete user bookmarks.
o CLI: Create bookmarks for a specific user.
VPN > SSL-VPN Portals
• Supports SSO for any link that requires
authentication.
config vpn ssl web user-bookmark
edit Accountant-1#Accountants
config bookmarks
edit Finance-FTP
set apptype ftp
set folder ftp://[email protected]/Invoices
set sso disable
next
447
Hardening SSL-VPN Access
Objectives
• Configure client integrity checking
• Apply two-factor authentication using security certificates
• Restrict clients by IP and MAC address
Client Integrity Checking
• SSL-VPN gateway checks client integrity
o Requires Microsoft Windows

• Detects client security applications recognized by the Windows Security Center

o Antivirus and firewall software
o Security attributes recorded on the client’s computer

• Checks the status of applications through their GUID

o Custom host checks

• Determines the state of the applications

o Active/inactive
o Current version number
o Signature updates

449
Configure Client Integrity Check
• External vendor software ensures client
integrity. config vpn ssl web host-check-software
FortiClient, AVG, CA, F-Secure, show
Kapersky, McAfee, Norton, Symantec,
Panda, Sophos, Trend-Micro, Zone Alarm,…

• Check if software is installed on host client.

o Configure through CLI only config vpn ssl web portal
o Software needs to be updated and recognized by edit <portal_name>
Windows Security Center
set host-check [none|av|fw|av-fw|custom]
• None – No host checking
• av – Verify if there is any antivirus software set host-check-interval <seconds>
• fw – Verify if there is any firewall software end
• av-fw – Verify if there is both antivirus and
firewall software
• Custom – Verify custom or proprietary software
o If not, FortiGate rejects SSL-VPN connection
Administrators should have in-depth knowledge of
attempt. the Windows OS to use and maintain this feature.

450
Two-Factor Authentication Through Security Certificates
1. Requesting a client’s certificates 2. Using FortiGate’s issued certificates
o Clients authenticate using certificates. o Use FortiGate’s CA certificate.
o Install a local certificate in a client’s o Install FortiGate’s CA certificate in a
browser. client’s browser.
o Install the corresponding CA certificate o Default certificate is Fortinet_CA_SSL
on FortiGate.

config vpn ssl settings config vpn ssl settings

set reqclientcert enable set servercert <certificate>
end end

FortiGate prompts client browser for its Use the certificate that FortiGate uses to
client-side certificate. identify itself to SSL-VPN clients.

451
Restricting Hosts by IP Address
• Set up IP restriction rules to VPN > SSL-VPN Settings
allow specific hosts.
o Using the GUI:
• Select Limit access to specific
hosts
• Is selected by default but empty
o Using the CLI, enter:
• set source-address
config vpn ssl setting
set source-address REMOTE_WINDOWS
• Set up IP restriction rules to end
exclude specific hosts by CLI
config vpn ssl setting
set source-address-negate [enable|disable]
set source-address6-negate [enable|disable]
end

452
Restricting Hosts by MAC Address
• Check against the client’s MAC address.
• Ensure only specific computers or devices are connecting to the SSL-VPN.
• Link clients to specific portals by MAC address.
• Hooks into the Windows Security Center.

config vpn ssl web portal

edit <portal-name>
set mac-addr-check [enable|disable]
set mac-addr-action [allow | deny]
config mac-addr-check-rule
edit <rule-id>
set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d
set mac-addr-mask 48
end
end

453
Monitoring and Troubleshooting
Objectives
• Monitor SSL-VPN connected users
• Review SSL-VPN logs
• Configure SSL-VPN timers
• Troubleshoot common SSL-VPN issues
• Identify hardware acceleration components for SSL-VPN
Monitoring SSL-VPN Sessions
• Monitor which SSL-VPN users are connected.
o GUI: Monitor > SSL-VPN Monitor
• Shows SSL-VPN user names, connection times, and IP addresses.
o For tunnel mode, Active Connections displays IP address assigned to fortissl virtual adapter.
• Force end user disconnection.
o Right-click the user name and select End Session.

Monitor > SSL-VPN Monitor

Right-click to terminate an Tunnel mode user: shows SSL-VPN IP web user

active SSL-VPN session. address assigned during the session.

455
SSL-VPN Logs

Custom URL path

Custom URL path

Custom URL path

• Review if the SSL-VPN tunnel is established or closed.

• Review authentication action related to SSL-VPN users.
• Review SSL-VPN connections in tunnel mode with FortiClient.

456
SSL-VPN Idle Timeout vs. Authentication Session
• Firewall policy authentication session is associated with SSL-VPN tunnel session.
o Firewall policy authentication session is forced to end when SSL-VPN tunnel session ends.
o Prevents reuse of authenticated SSL-VPN firewall policies (not yet expired) by a different user,
after the initial user terminates the SSL-VPN tunnel session.

• SSL-VPN authentication is not subject to the firewall authentication timeout setting.

o It has a separate idle setting: default 300 seconds

VPN > SSL-VPN Settings

config vpn ssl settings

set idle-timeout <0-259200>
end

457
SSL-VPN Timers
• Set up timers to avoid logouts when SSL-VPN users experience long network
latency.
o DTLS hello timeout—default 10 seconds.
o Login timeout—default 30 seconds.

config vpn ssl settings

set login-timeout <10-180>
set dtls-hello-timeout <10-60>
set http-request-header-timeout <1-60>
Set http-request-body-timeout <1-60>
end

• Timers can also help to mitigate DoS attacks within SSL-VPN caused by partial
HTTP requests, such as Slowloris and R-U-Dead-Yet.
458
Best Practices for Common SSL-VPN Issues
• For web mode connections, make sure that:
o Cookies are enabled and the internet privacy options set to high in your web browser
o SSL-VPN clients are following the proper URL structure: https://<FortiGateIP>:<port>

• For tunnel mode connections, make sure that:

o The FortiClient version is compatible with the FortiOS firmware
• Refer to release notes for product compatibility and integration.
o Split tunneling is enabled to allow Internet access without backhauling all user’s data to the remote network, or
o Split tunneling is disabled and an egress firewall policy is created for SSL-VPN connections

• For general SSL-VPN connections, make sure that:

o Users are connecting to the correct port number
• To check SSL-VPN port assignment, click VPN > SSL-VPN Settings.
o Firewall policies include SSL-VPN groups or users, and the destination address
o The timeout timer is configured to flush inactive sessions after a short time
o Users are encouraged to log out if they are not using the network resources only accessible by SSL-VPN

459
Useful Troubleshooting Commands
# diagnose debug enable
# diagnose vpn ssl <…>
list Show current connections
info General SSL-VPN information
statistics Show statistics about memory usage on FortiGate, maximum and
current connections
debug-filter Debug message filter for SSL-VPN
hw-acceleration-status Display the status of SSL hardware acceleration

# diagnose debug application sslvpn -1 Display debug messages for SSL-VPN; -1 debug level
# diagnose debug enable produces detailed results

460
Hardware Acceleration for SSL-VPN
• FortiGate devices with content processors (CP8 or CP9), which offload specific
CPU-intensive operations, support high-performance SSL-VPN bulk data engines.
o SSL/TLS protocol processor
• Administrators can disable CP offloading through firewall policies
o For example: test purposes

config firewall policy

edit 1
set auto-asic-offload [enable |disable]
end

• To view the status of SSL-VPN acceleration, use the following command:

get vpn status ssl hw-acceleration-status

Acceleration hardware detected: No acceleration hardware detected

kxp=on cipher=on
461
Review
✓ Define a virtual private network (VPN)
✓ Describe the differences between SSL-
VPN and IPsec VPN
✓ Describe the differences between SSL-
VPN modes
✓ Define authentication for SSL-VPN users
✓ Configure SSL-VPN portals
✓ Configure SSL-VPN settings
✓ Define firewall policies for SSL-VPN
✓ Configure realms for SSL-VPN portal
✓ Configure personal bookmarks for SSL-VPN
portal
✓ Configure client integrity checking
✓ Apply two-factor authentication using
security certificates
✓ Restrict clients by IP and MAC address
✓ Monitor SSL-VPN connected users
✓ Review SSL-VPN logs
✓ Configure SSL-VPN timers
✓ Troubleshoot common SSL-VPN issues
FortiGate Security
Dialup IPsec VPN

© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 January 2020
Lesson Overview

IPsec Introduction

IKE Phase 1 and Phase 2

Dialup IPsec VPN

Best Practices and VPN Logs

464
IPsec Introduction
Objectives
• Describe the benefits of IPsec VPN
• Be familiar with the IPsec protocol
• Understand how IPsec works
Benefits of IPsec VPN
• Joins remote hosts and networks together into one private network
• Usually provides:
o Authentication
o Data integrity (tamper proofing) ?
o Data confidentiality (encryption)

Hash OK
Confidential

Tamper-proof

Authenticated

466
What is the IPsec Protocol?
• Multiple protocols that work together
o AH provides integrity but not encryption. So, although it’s defined in an RFC, it is not used by
FortiGate.
• Port numbers and encapsulation vary by network address translation (NAT).

Protocol NAT No NAT

IKE IP protocol 17: IP protocol 17:
RFC 2409 (IKEv1) UDP port 500 UDP port 500
RFC 4306 (IKEv2) (UDP 4500 for rekey,
quick mode, mode-cfg)
ESP IP protocol 17: IP protocol 50
RFC 4303 UDP port 4500

467
How Does IPsec Work?
• Encapsulation
o Other protocols wrapped inside IPsec
o What’s inside? Varies by mode:
• Transport mode – TCP/UDP
• Tunnel mode – additional IP layer, then TCP/UDP

• Negotiation like SSL/TLS

o Authentication
o Handshake to exchange keys, settings

468
 Encapsulation – Tunnel Mode or Transport Mode
No VPN
Original Packet Original IP header TCP/UDP…..Data

Tunnel Mode

ESP trailer ESP integrity

New IP header ESP header Original IP header TCP/UDP/SCTP….Data (HMAC)

Encrypted
Authenticated

Transport Mode

ESP header ESP trailer ESP integrity

Original IP header TCP/UDP/SCTP….Data (HMAC)

Encrypted
Authenticated

469
Negotiation-Security Association (SA)
• IKE allows the parties involved in a transaction to set up their security associations
(SAs).
o SAs are the basis for building security functions into IPsec.
o In normal two-way traffic, the exchange is secured by a pair of SAs.
o IPsec administrators decide the encryption and authentication algorithms that can be used in the
exchange.
• IKE uses two distinct phases:
o Phase 1
o Phase 2

470
IKE Phase 1 and Phase 2
Objectives
• Identify and understand the phases of IKEv1
What is IKE?
• Uses UDP port 500 (and UDP port 4500 when crossing NAT)
• Negotiates a tunnel’s private keys, authentication, and encryption
o One IPsec SA is used per traffic direction.
• Phases:
o Phase 1
o Phase 2

472
Phase 1 – Overview
• Each endpoint of the tunnel—the initiator and the responder—connects and begins
to set up the VPN.
• On the first connection, the channel is not secure.
o Unencrypted keys can be intercepted.
• To exchange sensitive private keys, both endpoints have to create a secure
channel.
o Both endpoints will negotiate the real keys for the tunnel later.

473
Phase 1—How it Works
1. Authenticate peers
o Pre-shared key or digital signature
o Extended authentication (XAuth)
2. Negotiate one bidirectional SA (called IKE SA)
o In IKE v1, two possible ways:
• Main mode: six packets exchanged
• Aggressive mode: three packets exchanged
o Not the same as final SAs later
o Encrypted tunnel for Diffie-Hellman (DH)
3. DH exchange for secret keys

474
Phase 1–Main Mode with Key
Suggested ISAKMP policies

Initiator Selected ISAKMP policy

Responder
Diffie Hellman public value
Diffie Hellman public value
Peer ID and hash payloads
Peer ID and hash payloads

• The first packet doesn't have the peer ID, so the responder cannot use it to identify the
initiator.
• This mode works well in point-to-point VPNs and for responders with only one dialup VPN.
• This mode might not work well for responders with multiple dialup VPNs—the peer’s IP
address is dynamic.

475
Phase 1–Aggressive Mode with Key

Suggested ISAKMP policy,

key, and ID
Initiator Responder
Selected ISAKMP policy, Diffie Hellman key,
ID, and hash payload

Initiator hash payload

• The peer can be identified using the source IP address or peer ID.
• This method is the solution for responders with multiple dialup VPNs. Responder
can use the peer ID in the first packet to identify the peer, and apply the
corresponding VPN configuration.

476
Diffie-Hellman
• Key agreement method:
o Independently calculate a private key using only public keys
• Each FortiGate uses a shared secret key plus a nonce to calculate keys for the
following:
o Symmetric encryption algorithms (such as 3DES, AES)
o Symmetric authentication (HMACs)

477
NAT Traversal (NAT-T)
• ESP can’t support NAT because it has no port numbers.
• If NAT Traversal is set to Enable, it detects whether NAT devices exist on the path.
o If yes, ESP is encapsulated over UDP 4500.
o Recommended if initiator or responder is behind NAT.
• If NAT Traversal is set to Forced: VPN > IPsec Tunnels
o ESP is always encapsulated over UDP,
even when there are no NAT devices
on the path.

478
Phase 2—How it Works
• Negotiates two unidirectional SAs for ESP (called IPsec SAs)
o Protected by phase IKE SA
• When SAs are about to expire, it renegotiates
o Optionally, if Perfect Forward Secrecy is set to Enabled, FortiGate uses Diffie-Hellman to
generate new keys each time phase 2 expires.

• Each phase 1 can have multiple phase 2s.

o High security subnets can have stronger ESP.

479
Quick Mode Selectors
• If multiple phase 2s exist, FortiGate directs traffic to the correct phase 2.
o Allows granular security settings for each LAN.
o If traffic does not match an IPsec SA selector, it is dropped.
o In point-to-point VPNs, selectors must match.
• The source on one FortiGate is the destination setting on the other.

• Select which SA to apply using:

o Destination and source IP subnet(s)
o Protocol number
o Source port and destination port

480
Dialup IPsec VPN
Objectives
• Understand dialup IPsec VPN topology
• Deploy a dialup VPN between two FortiGate devices
• Deploy a dialup VPN for FortiClient
Dialup VPN
• Dialup (also called point-to-multipoint)
o FortiGate can’t initiate—only clients can
o Client can be VPN software (FortiClient) or FortiGate.

Known destination IP,

VPN settings

? Unknown destination IP of remote client.

FortiGate cannot be initiator.

Mobile User

482
Dialup VPN Configuration Between Two FortiGates
• On each FortiGate, create:
o Phase 1
o Phase 2
o Firewall policies Unknown destination IP of
remote FortiGate.
o Static or dynamic routes (if required)
Dialup server cannot be
initiator.
Dialup VPN Server
Internet
Known destination IP,
VPN settings

Dialup VPN Client

483
 Phase1Configuration (Dialup Server and Client)
VPN > IPsec Tunnels

Dialup IPsec VPN Server side Dialup IPsec VPN Client side

Remote Gateway set to

Dialup User.

Peer Options with aggressive

mode used for multiple dialup
VPNs.

Remote Gateway can be either

Static IP Address or Dynamic
DNS.

Local ID and Aggressive mode

required for multiple dialup
VPNs.

484
Phase 2 Selectors Configuration (Dialup Server and Client)
• Dialup server side:
o Local address: dialup server's subnet
o Remote address: 0.0.0.0/0 for matching multiple dialup clients subnets

VPN > IPsec Tunnels

• Dialup client side:

o Local address: dialup client’s subnet—static route to this subnet will be added automatically on the dialup server
o Remote address: dialup server's subnet

485
 Firewall Policies For VPN
• Two firewall policies for dialup VPN server
• Two firewall policies for dialup VPN client
Policy & Objects > IPv4 Policy Policy & Objects > IPv4 Policy

IPsec virtual interface Allow and inspect the traffic

matches name of phase coming from/going. to the IPsec
virtual interface
486
Static and Dynamic Routes for Dialup VPN
• Dialup server side:
o Dialup server will dynamically add a static route to the client subnet immediately after the VPN is established.

Monitor > Routing Monitor

• Dialup client side:

o Static route to the dialup server's subnet is not dynamically added in the dialup client when the tunnel comes up.
Network > Static Routes

Static route to dialup server via

tunnel interface “To local” added
manually.

487
Dialup VPN Configuration Between FortiGate and FortiClient
• On the FortiGate Dialup VPN server, create:
o Phase 1
o Phase 2
o Firewall policies
o Review static or dynamic routes

Dialup VPN server

Mobile user with FortiClient installed

488
Phase 1 Configuration (FortiGate as Dialup Server)
VPN > IPsec Tunnels

Remote Gateway must be

set to Dialup User.

Peer Options with aggressive

mode must be used for multiple
dialup VPNs.

Optionally, enable XAuth as

client

489
Phase 1 Mode Configuration (Dialup Server for Forticlient)
VPN > IPsec Tunnels
• Like DHCP: automatically configures
VPN clients’ virtual network settings

• By default, FortiClient VPNs use it to

retrieve their VPN IP address settings
from FortiGate

490
Extended Authentication (XAuth)
• XAuth adds more, especially for mobile users: user name + password
• Sometimes called phase 1.5
• You can authorize all users who belong to a specific user group:
VPN > IPsec Tunnels

491
Xauth – Inheriting the Users From Policies
• Alternatively, select Inherit from policy, to authorize all users who belong to any of
the user groups assigned to the VPN firewall policies.
VPN > IPsec Tunnels

Policy & Objects > IPv4 Policy

492
FortiClient VPN Configuration Wizard
• Simplifies making VPNs for FortiClient remote access

VPN > IPsec Wizard

493
Best Practices and Logs
Objectives
• Use best practices for dialup IPsec deployments
• Analyze VPN logs and VPN Monitor
Best Practices
• In circumstances where multiple remote dialup VPN tunnels exist, ensure each
tunnel have a peer ID set.

• Make sure of compatibility between the FortiClient version and the FortiGate OS
version.

• If your FortiGate device is behind a NAT device, such as a router, configure port
forwarding for UDP ports 500 and 4500.

• Ensure hardware acceleration is enabled for IPsec best performance.

• Beware of IPsec overheads for maximum transmission unit (MTU) size.

495
Dialup IPsec Logs
Log & Report > VPN Events

Log indicates
negotiation failure for
Selected log for phase 2
details

496
Dialup IPsec Logs (Cont’d)
Log & Report > VPN Events

Log indicates dialup user

student successfully
connected
Selected log for
details

497
Dialup IPsec Logs (Cont’d)
Log & Report > VPN Events

Log indicates
authentication failed for
dialup user student.
Selected log for
details

498
IPsec VPN Monitor
• Monitor which dialup IPsec VPN users are connected
o GUI: Monitor > IPsec Monitor
• Shows dialup IPsec VPN authenticated users, and IP addresses
• Force end user disconnection
o Right-click the tunnel and select Bring Down.

Monitor > IPsec Monitor

Right-click and select Bring

Down to terminate an Shows remote gateway IP address of
Authenticated
active dialup VPN user dialup IPsec VPN user
dialup VPN user
tunnel.

499
Review

✓ Describe the benefits of IPsec VPN

✓ Be familiar with the IPsec protocol
✓ Understand how IPsec works
✓ Identify and understand the phases of IKEv1
✓ Understand dialup IPsec VPN topology
✓ Deploy a dialup VPN between two FortiGate devices
✓ Deploy a dialup VPN for FortiClient
✓ Use best practices for dialup IPsec deployments
✓ Analyzing VPN logs and VPN Monitor