FortiGate Operator

Lesson Scripts
7.4
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

9/14/2023
TABLE OF CONTENTS

FortiGate Overview 4
Configuring Interfaces and Routing 6
Firewall Policies 8
Authenticating Network Users 10
Inspect SSL Traffic 12
Blocking Malware 14
Control Web Access Using Web Filtering 16
Configuring the FortiGate Intrusion Prevention System 18
Controlling Applications Access 20
Creating IPsec Virtual Private Networks 22
Configuring FortiGate SSL VPN 26
FortiGate System Maintenance and Monitoring 28
Configuring the Fortinet Security Fabric 31
FortiGate Overview

Welcome to the FortiGate Overview lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Describe FortiGate.
l Explain key FortiGate features.
l Understand FortiGuard Labs.
FortiGate is a next-generation firewall (NGFW) that delivers industry-leading enterprise security with full visibility
and threat protection.

Using FortiGate, organizations can achieve:

l Ultra-fast security throughout their network
l A consistent real-time defense
l An excellent user experience
l Operational efficiency and automated workflows
The FortiGate platform adds strength without compromising flexibility, through combining several key elements:
FortiGuard Subscription Services, security features, the FortiOS operating system, and security processing units
(SPUs). FortiGate can also integrate with other Fortinet products.

There are many different FortiGate models, ranging from entry-level hardware appliances to high-end appliances.
FortiGate-VM, a virtual appliance, offers the same protection as the physical appliances for public and private
cloud. This ensures that FortiGate can fit seamlessly into your environment.

FortiGate offers a variety of features to protect and secure your network. These features include the following:
l Firewall authentication, both local and remote
l VPNs
l Security scanning such as antivirus, web filtering, and application control
l Monitoring and logging
FortiGate is also a part of the Fortinet Security Fabric. You will learn more about all these features in later lessons.

To stay up-to-date with the changing threat landscape, FortiGate devices can receive updates through FortiGuard
Security Services, powered by FortiGuard Labs.

Founded in 2002, FortiGuard Labs is Fortinet’s elite cybersecurity threat intelligence and research organization.

Partnering with law enforcement agencies, government organizations, and security vendor alliances worldwide to
fight emerging global security risks.

FortiGuard labs maintain real-time threat intelligence and innovative prevention tactics and tools across the
Fortinet Security Fabric in three key categories:
l Trusted machine learning (ML) and artificial intelligence (AI) that stop unknown threats faster.
l Real-time threat protection to provide a proactive security posture.
l Threat hunting and outbreak alerts, that allow for faster remediation.

4 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
FortiGate Overview

You have completed the lesson. You are now able to:
l Describe FortiGate.
l Explain key FortiGate features.
l Understand FortiGuard Labs.

FortiGate 7.4 Operator Lesson Scripts 5

Fortinet Technologies Inc.
Configuring Interfaces and Routing

Welcome to the Configuring Interfaces and Routing lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Configure networking interfaces.
l Configure FortiGate as a DHCP server.
l Configure static routes.
l Monitor static routes.
Physical and virtual interfaces allow traffic to flow between internal networks, and between the internet and
internal networks. FortiGate has options for configuring interfaces that can scale as your organization grows.

You can configure a variety of settings on FortiGate interfaces, including:

l Alias: a name that identifies the interface for reference.
l IP address: the public or private IP address used to connect to the interface.
l Administrative access: the protocols that can be used to connect to the interface for administration purposes, such
as HTTPS, PING, and SSH.
l DHCP servers: a server that dynamically assigns IP addresses to hosts on the network connected to the interface.
A DHCP server dynamically assigns IP addresses to devices on the network connected to the interface. You can
configure one or more DHCP servers on any FortiGate interface.

A DHCP server configuration includes:

l Address Range: the range of IP addresses that FortiGate assigns to devices.
l Netmask: the netmask of the address that FortiGate assigns to devices.
l Default Gateway: the default gateway that FortiGate assigns to devices. By default, this gateway is the same as the
interface IP address.
l DNS Server: the DNS server that FortiGate will assign to devices. By default, this is the same DNS server used by
FortiGate.
Static routing is the most basic way of configuring routing on a network device, including firewall devices such as
FortiGate. FortiGate has a default route to its gateway to provide internet network access. Even in a more complex
setup, you would likely find static routes deployed. All routes are part of the routing table, which FortiGate uses to
match incoming traffic to determine where to send that traffic next.

A static route includes:

l Destination: FortiGate uses the destination to match incoming traffic to the correct route.
l Gateway address: this is the IP address that FortiGate forwards the traffic to.
l Interface: this is the interface that FortiGate uses to forward traffic towards its destination.
The default route tells FortiGate where to send traffic when packets do not include an exact match for the
destination address in the FortiGate routing table. Usually, all the users that are behind FortiGate need a default
route in order to have internet access.

6 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Configuring Interfaces and Routing

In the default route, the destination address is set to 0.0.0.0. The gateway address is typically the address of
another router, either a device in your network that is between FortiGate and the network edge, or part of your ISP
network if FortiGate is located on the network edge. Finally, the interface is the FortiGate port that connects to that
router, typically the WAN interface.

Every static route you create becomes part of the FortiGate configuration and you can verify this in the GUI under
Network > Static Routes. These static routes that you create will remain in the configuration until you delete
them.

Several conditions can prevent a configured route from being added to the routing table and, consequently, not
being used to forward traffic. The most common of these conditions are:
l The route is misconfigured.
l The port associated with the route is down or disabled.
l There is a better route to use to forward traffic to that destination.
In the screen capture shown on the slide, you can see that there is a static route with destination 172.16.30.0/24.
However, since port6 is disabled, this route is not included in the routing table that is also shown.

To display the routing table, and check if an expected route is missing, you can go to Dashboard > Network >
Static and Dynamic Routing. Checking the routing table is often one of the first steps you will take when
troubleshooting network connectivity issues.

You have completed this lesson. You are now able to:
l Configure networking interfaces.
l Configure FortiGate as a DHCP server.
l Configure static routes.
l Monitor static routes.

FortiGate 7.4 Operator Lesson Scripts 7

Fortinet Technologies Inc.
Firewall Policies

Welcome to the Firewall Policies lesson.

Click Next to get started.

By the end of this lesson, you will be able to achieve these objectives:
l Describe what firewall policies are.
l Understand how firewall policies work.
l Describe how inspection modes work.
l Configure firewall policies
Firewall policies are sets of rules that you use to control whether traffic in your network is accepted by FortiGate
and, if it is accepted, how FortiGate processes it.

Firewall policies define what traffic matches them and what FortiGate does when traffic does match. Each policy
has match criteria, which you can define using the following objects:
l Incoming and outgoing interfaces
l Source
l Destination
l Service
l Schedule
When traffic matches a firewall policy, FortiGate applies the action configured in that firewall policy.
l If the Action is set to DENY, FortiGate drops the session
l If the Action is set to ACCEPT, FortiGate accepts the session
The Source field of a firewall policy can match two different criteria: IP subnet or user. The Destination field can
match two criteria: IP subnet or internet services.

To use an IP subnet as the source or destination, you must first create a firewall address that corresponds to that
subnet. To create a policy that allows internal users to access the internet, you must configure a firewall address
that matches the IP subnet of the internal network and use it as the source in the firewall policy.

You can also create a firewall address for the IP address of a specific device, such as a web server. You would
use this address as the destination in any firewall policies that you want to allow access to the server.

A default ALL option is available for both source and destination IP addresses. The option matches all possible IP
addresses. To set a source user, you configure firewall authentication and then select either specific users or user
groups.

To use an internet service as the destination, select the appropriate service from the internet service database
(ISDB). The ISDB is a list that includes the IP subnets of commonly used web service providers, such as
Facebook, YouTube, and so on.

The FortiGate policy table contains all firewall policies. When matching traffic, FortiGate checks the policy table
from top to bottom and processes traffic using the first policy that matches. If there is no match, FortiGate drops
the traffic by applying the default Implicit Deny firewall policy, located at the bottom of the table.

8 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Firewall Policies

Because the first match is used, it is best practice to have the most specific policies located at the top of the table,
and the more general policies lower in the table. This makes sure that FortiGate applies the correct policy to the
traffic.

After accepting traffic, FortiGate may apply other features and settings to that traffic based on the firewall policy
configuration. This can include security scanning, such as antivirus, application control, and web filtering.
Scanning could block the traffic if, for example, FortiGate discovers it contains a virus. FortiGate also applies
network address translation and logs traffic based on the firewall policy settings.

When configuring a firewall policy, you must select between two inspection modes: flow-based inspection mode
and proxy-based inspection mode.

Flow-based inspection mode examines a file as it passes through FortiGate, without any buffering. As each
packet arrives, it is processed and forwarded without waiting for the complete file or web page. FortiGate does not
alter the original, which means that any features that modify content, such as safe search enforcement, are not
supported in this mode.

In proxy-based inspection mode, FortiGate buffers traffic and examines it as a whole before determining an
action. Because FortiGate examines the data as a whole, it can examine more points of data than it does when
using flow-based inspection, but using this mode does add latency to the overall transmission speed. Proxy-based
inspection is more thorough than flow-based inspection, yielding fewer false positives and negative results.

You have completed this lesson. You are now able to:
l Describe what firewall policies are.
l Understand how firewall policies work.
l Describe how inspection modes work.
l Configure firewall policies.

FortiGate 7.4 Operator Lesson Scripts 9

Fortinet Technologies Inc.
Authenticating Network Users

Welcome to the Authenticating Network Users lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Understand the importance of using firewall authentication.
l Explain how FortiGate firewall authentication works.
l Configure authentication.
l Monitor authentication.
Firewall authentication requires users to verify their identity to FortiGate before they can access network
resources.

To authenticate, users must enter their credentials, such as a username and password. Without firewall
authentication, the only information that FortiGate knows about the user that is originating the traffic is their source
IP address, which FortiGate cannot use to determine the user's identity.

To configure firewall authentication, you add a source user or user group to the firewall policy. This requires that
users enter credentials at the beginning of the session.

FortiGate then uses the identity of the user, along with the other rules in the firewall policy, to determine if the
traffic should be allowed or denied.

You can configure two types of firewall authentication on FortiGate: local password authentication and remote
password authentication. The difference between these two methods is on whether the user credentials are
stored on FortiGate or on a remote authentication server.

The simplest method of authentication is local password authentication. User information is stored locally on the
FortiGate device. This method works well for a single FortiGate installation.

When you use firewall authentication, you need to create individual accounts for every user who requires access
to the network. A local user account contains both the username and a password.

You can also create local user groups to group together users who require the same level of access. You might
want to group employees by business area, such as finance or HR, or by employee type, such as contractors or
guests. In most cases, it is the best practice to use a group in a firewall policy rather than individual user accounts.

You can also use local authentication for guest groups, which contain temporary user accounts that expire after a
predetermined amount of time.

Administrators can manually create guest accounts or create many guest accounts at once using randomly
generated user IDs and passwords. This reduces administrator workload for large events. Once created, you can
add accounts the guest user group and associate the group with a firewall policy.

When you use a remote authentication, FortiGate sends the user’s entered credentials to an authentication
server, such as FortiAuthenticator. If the server successfully authenticates the user, FortiGate then applies the
matching firewall policy to the traffic. In remote authentication, FortiGate does not store all, or sometimes any, of
the user information locally.

This method is desirable when multiple FortiGate devices need to authenticate the same users or user groups, or
when adding FortiGate to a network that already contains an authentication server.

10 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Authenticating Network Users

To use firewall authentication, you need to include a user account or user group in the source definition for a
firewall policy, along with the internal subnet. After doing this, when traffic matches the firewall policy, the user
must authenticate before FortiGate grants access.

To allow FortiGate to identify users requesting access, you can configure local firewall authentication. Expand
each task to see the recommended process.

First, create a user account on FortiGate to locally store user credentials.

Second, create a user group based on the user's role or type.

Third, add the user group as the source for a firewall policy.

Finally, verify the configuration by having the user successfully authenticate and monitor them using FortiGate
logs and dashboards.

To allow FortiGate to identify users requesting access, you can configure remote firewall authentication. Expand
each task to see the recommended process.

First, connect FortiGate to the remote server.

Second, create a user group and map authenticated remote users to this group.

Third, add the user group as the source for a firewall policy.

Finally, verify the configuration by having the user successfully authenticate and monitor them using FortiGate
logs and dashboards.

You have completed the lesson. You are now able to:
l Understand the importance of using firewall authentication.
l Explain how FortiGate firewall authentication works.
l Configure authentication.
l Monitor authentication.

FortiGate 7.4 Operator Lesson Scripts 11

Fortinet Technologies Inc.
Inspect SSL Traffic

Welcome to the Inspect SSL Traffic lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Describe why SSL traffic should be inspected.
l Describe how SSL inspection works in FortiGate.
l Configure an SSL inspection in a firewall policy.
HTTPS offers protection by applying encryption to web traffic; however, it also introduces a potential security risk
because attackers may attempt to use encrypted traffic to get around your network's normal defenses.

For example, Bob connects to the website example.com. This site has a certificate issued by a legitimate
certificate authority (CA). Because the CA is approved, a valid verification certificate is in Bob’s certificate store,
and Bob’s browser establishes an SSL session with the website. However, unknown to Bob, the example.com
website has been infected with a virus. The virus, cloaked by encryption, passes through FortiGate undetected
and enters Bob’s computer. To prevent this, you can use SSL inspection to inspect encrypted traffic.

There are two different types of FortiGate SSL inspection:

l Certificate inspection
l Deep inspection
When you use SSL certificate inspection, FortiGate inspects the SSL/TLS handshake when a session begins. By
doing this, FortiGate verifies the identity of the web server and makes sure that the HTTPS protocol is not used as
a workaround to access sites you have blocked using web filtering.

The only security feature that you can use with SSL certificate inspection mode is web filtering. However, this
method does not introduce certificate errors and can be a useful alternative to deep SSL inspection when you use
web filtering.

When you use SSL deep inspection, also known as full inspection, FortiGate impersonates the recipient of the
originating SSL session, then decrypts and inspects the content to find threats and block them. If the content is
safe, FortiGate re-encrypts the content and sends it to the real recipient.

You can apply all types of security scanning with SSL deep inspection, including web filtering. Deep inspection not
only protects you from attacks that use HTTPS, it also protects you from other commonly used SSL-encrypted
protocols such as SMTPS, POP3S, IMAPS, and FTPS.

To use FortiGate SSL inspection, you apply an SSL inspection profile to the firewall policy. FortiOS includes four
preloaded SSL inspection profiles, three of which are read-only:
l certificate-inspection
l deep-inspection
l no-inspection
You can edit the fourth preloaded profile, custom-deep-inspection. You can also clone any of the read-only
profiles or create your own custom inspection profile.

When you use SSL deep inspection using the FortiGate CA certificate, your browser displays a certificate warning
each time you connect to an HTTPS site. This occurs because FortiGate is generating a certificate that appears to

12 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Inspect SSL Traffic

be from the correct site, but is signed by the FortiGate CA, which is not a CA the browser trusts by default. This
makes it appear that the FortiGate is performing a man-in-the-middle attack.

For example, a network user connects to <https://facebook.com>. Traffic from the Facebook web server
uses the real Facebook certificate, signed by a well-known CA. FortiGate intercepts this traffic and decrypts
it.Then, when it is deemed safe, FortiGate passes the traffic on to the end user. The traffic now uses a certificate
with the name <https://facebook.com>, but the certificate is signed by the FortiGate CA.

Certificate errors can also appear when you use SSL certificate inspection, because FortiGate uses its CA
certificate to encrypt the replacement message that appears when you attempt to browse to a blocked site over
HTTPS.

To avoid certificate warnings, do one of the following:

l Download the Fortinet_CA_SSL certificate and install it on all the workstations as a trusted root authority.
l Use an SSL certificate issued by a CA and ensure the certificate is installed in the necessary browsers.
You have completed this lesson. You are now able to:
l Describe why SSL traffic should be inspected.
l Describe how SSL inspection works in FortiGate.
l Configure an SSL inspection in a firewall policy.

FortiGate 7.4 Operator Lesson Scripts 13

Fortinet Technologies Inc.
Blocking Malware

Welcome to the Blocking Malware lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Understand why you should use antivirus protection.
l Explain how FortiGate antivirus works to block malware.
l Configure FortiGate antivirus.
Keeping malware out of your network is key to securing your organization. Cyber criminals use malware to:
l Cause data breaches
l Extort money
l Steal intellectual property
l Disrupt business and destroy systems
FortiGuard Labs provides a database of signatures that allow FortiGate to identify malware. You can configure
scheduled updates on FortiGate at regular intervals, such as hourly, daily, weekly, or automatically within every
hour, to keep the database up-to-date. This helps maintain protection against the latest malware variants and
previously unknown threats.

FortiGate uses many techniques to detect viruses. These detection techniques include:
l Antivirus scan - Antivirus scan detects known malware and is the first, fastest, and the simplest way to detect
malware. FortiGate detects viruses that are an exact match for a signature in the FortiGuard antivirus database.
l Grayware scan - Grayware scan detects unsolicited programs, known as grayware, that have been installed without
the user’s knowledge or consent. While grayware is not technically a virus, it can cause unwanted behavior, so
FortiGate considers it to be malware. Often, FortiGate detects grayware using a FortiGuard grayware signature.
l Machine learning/artificial intelligence scan - Machine learning/artificial intelligence scan uses machine learning and
artificial intelligence techniques to detect zero-day attacks containing malware that is new, unknown, and, does not
yet have a matching associated signature. Because this type of scan is based on probability, using it does increase
the possibility of false positives. By default, when FortiGate detects a new virus, it logs the file as suspicious but
does not block it. You can choose whether to block or allow suspicious files.
You configure antivirus settings as part of an antivirus profile. In the antivirus profile, you can define what
FortiGate should do if it detects an infected file. After you configure an antivirus profile, you must apply it in the
firewall policy.

The antivirus profile contains a variety of options that you can configure, including:
l How Windows executable files are handled: By default, FortiGate considers executable files to be viruses and
blocks any that it detects.
l Whether to send files to FortiSandbox for inspection. If FortiGate connects to a FortiSandbox cloud or device, you
can configure the antivirus profile to send malicious files to FortiSandbox for behavior analysis.
l Whether to use the FortiGuard virus outbreak prevention database. This database provides additional protection
from FortiGuard to keep your network safe from newly emerging malware. This database consists of third-party
malware hash signatures curated by the FortiGuard.
Click the highlighted words to learn more about them.

14 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Blocking Malware

To instruct FortiGate to scan for malware, you can configure antivirus protection. Expand each task to identify the
recommended process.

First, create an antivirus profile, or configure the default antivirus profile.

Second, enable antivirus scanning on a firewall policy and select the correct profile.

Third, verify the configuration by attempting to download a test file, such as the one available from The European
Institute for Computer Antivirus Research (EICAR).

Finally, use FortiGate logs to monitor antivirus protection.

You have completed this lesson. You are now able to:
l Understand why you should use antivirus protection.
l Explain how FortiGate antivirus works to block malware.
l Configure FortiGate antivirus.

FortiGate 7.4 Operator Lesson Scripts 15

Fortinet Technologies Inc.
Control Web Access Using Web Filtering

Welcome to the Control Web Access Using Web Filtering lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Understand why you should use web filtering.
l Describe FortiGuard categories.
l Configure FortiGate web filtering.
So, why do organizations, and people in general, use web filtering? Web filtering helps to control, or track, the
websites that people visit. There are many reasons why network administrators would apply web filtering:
l To limit access to distracting web sites, such as social networking sites, to keep their employees focused on work
and maintain productivity.
l To prevent network congestion by making sure users do not use valuable bandwidth for non-business purposes,
such as streaming a video.
l To decrease exposure to web-based threats by limiting access to potentially harmful websites.
l To limit liability, if employees attempt to download inappropriate or offensive material.
l To prevent users from viewing inappropriate material.
For web filtering, FortiGate can use FortiGuard category filters to control web access. FortiGuard categories are
derived from the FortiGuard web filtering service.

The service includes the FortiGuard URL Categories Database, which sorts billions of web pages into a wide
range of rating categories.

Each category contains websites or web pages that have been assigned based on their dominant web content.
These categories can, in turn, be blocked or allowed according to their content. The database categorizes web
content based on its viewing suitability for three major groups of consumers: enterprises, schools, and home and
families.

For example, Twitter is categorized as part of the General Interest - Personal category. While Dropbox is
categorized as part of the Bandwidth Consuming category.

Note that, categories can be further divided into subcategories. The General Interest - Personal category
includes subcategories such as Social Networking, News and Media. While the Bandwidth Consuming
category includes subcategories such as File Sharing and Storage, Internet Telephony, and Streaming
Media and Download.

Website categories are determined by both automated and human methods. The FortiGuard team has automatic
web crawlers that look at various aspects of the website in order to come up with a rating. There are also people
who examine websites and look into rating requests to determine categories.

To review the complete list of categories and subcategories, visit www.fortiguard.com/webfilter/categories. To

search for the category for a specific URL, visit www.fortiguard.com/webfilter.

FortiGate works with FortiGuard categories to determine how websites are filtered. Rather than block or allow
websites individually, FortiGuard category filtering looks at the category, with which website has been rated.
FortiGate blocks or allows website access, based on the actions defined for that category, not based on the URL.

16 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Control Web Access Using Web Filtering

FortiGate allows or blocks connections to websites based on the actions configured for the FortiGuard web filter
category in FortiGate. The following FortiGuard web filter category actions are available. Click each action to learn
more.

To enhance network security, you can configure FortiGate for web filtering based on FortiGuard categories.
Expand each task to identify the recommended process.

First, ensure that FortiGate has a valid FortiGuard security subscription license.

Second, identify how the FortiGuard service categorizes the specific website you are trying to block or allow.

Third, configure a web filtering profile to use FortiGuard category-based filters.

Fourth, apply the web filter security profile to a firewall policy to start inspecting web traffic. At this point, if you want
to generate logs, enable logging on the firewall policy.

Finally, test the web filter security profile configured for the specified FortiGuard category-based filters.

You have completed this lesson. You are now able to:
l Understand why you should use web filtering.
l Describe FortiGate categories.
l Configure FortiGate web filtering.

FortiGate 7.4 Operator Lesson Scripts 17

Fortinet Technologies Inc.
Configuring the FortiGate Intrusion Prevention System

Welcome to the Configuring the FortiGate Intrusion Prevention System lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Describe what an intrusion prevention system (IPS) is.
l Explain how an IPS can detect and block malicious activity on a network.
l Configure the FortiGate IPS.
l Describe common best practices when working with an IPS.
Intrusion prevention systems, or IPS, play a very important part in preventing cyberattacks and protecting
networks from various threats. An IPS can detect and block malicious network activity by analyzing the traffic and
identifying and blocking potential threats.

To identify malicious traffic, FortiGate uses its top-of-the-line IPS engine and IPS sensors. An IPS sensor is a
collection of IPS signatures and filters that define the scope of what the IPS engine scans when the IPS sensor is
applied to a firewall policy. IPS sensors also provide the ability to block access to known malicious URLs and IP
addresses linked to botnet command-and-control (C&C) servers. An IPS works by analyzing network traffic in real
time, and using a variety of techniques to look for patterns that may indicate a potential attack. At times some of
these techniques overlap and complement each other to provide better results.

The FortiGate IPS engine uses the following detection techniques, among others:
l Protocol decoders
l Signatures
Once an IPS detects malicious activity, it can take various actions that range from simply creating a log, to
blocking the threat entirely.

Attackers can send malformed packets to make the target system work abnormally or even stop working. Before
checking for attacks, FortiGate uses protocol decoder to detect anomalous traffic patterns that do not conform to
established protocol requirements and standards. This allows FortiGate, for example, to identify any HTTP
packets that deviate from the HTTP protocol standard. FortiGate protocol decoders can identify most protocols
even when they use nonstandard port numbers.

After FortiGate identifies the protocol, it uses signatures to check for malicious traffic. Signatures are entries in a
database that include very specific details about known threats. The IPS examines the network traffic and looks
for matches in the database. When it finds a match, the IPS takes the action configured for that specific signature.
Each signature includes a default action, but you can change it to another one as needed. FortiGate firewalls
include thousands of signatures and receive daily updates from FortiGuard. However, FortiGate uses only the
signatures that you specify to examine traffic. The use of signatures is effective in detecting known threats, but it
does not detect new or unknown threats.

Configuring the FortiGate IPS consists of three steps. Click each step to learn more.

First, you must select the IPS sensor that will be used to analyze the traffic. FortiGate includes several predefined
sensors that you can use as provided, or you edit. Additionally, you can create your own custom sensor to meet
your specific requirements.

18 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Configuring the FortiGate Intrusion Prevention System

Second, you must review or edit the signature and filters included in the sensor. You can also enable the sensor to
block malicious URLs and botnet C&C traffic. Each of these options is independent from the other and you should
configure them according to your requirements.

Lastly, after the sensor is ready, you must apply it to a firewall policy.

The table on this slide includes all possible actions that the FortiGate IPS can take when it detects a network
intrusion.

Most of the time, an IPS is not a set it and forget it type of solution. Determining and updating the correct signature
actions is part of the continuous tuning that you must do to improve the effectiveness of your IPS implementation.
Different sensors can use the same signatures but with different actions, depending on the specific scenario traffic
they examine. For example, you can be more flexible with traffic that originates at trusted locations and more
restrictive with other locations.

As with any other security solution, it is important to monitor the IPS logs that your firewall generates.

The FortiGate GUI makes all logged information available in the Intrusion Prevention widget included in the
Security Events section under Logs and Reports.

For a more complete examination, and to review the full information of the detected IPS traffic, you must navigate
to the Logs tab. In this section you can access all the details pertaining to the relevant logs.

These are some of the best practices to follow when working with an IPS. Click on each tile to learn more.
l Verify that the IPS database is up to date: To ensure proper protection, your IPS must have the latest information
about known attacks. During normal operation, FortiGate receives daily updates from FortiGuard, but this can be
affected by unplanned network outages. You can also update the database manually.
l Consider using the IPS sensors provided as initial templates for new custom ones: The default sensors are a good
starting point, but you should not modify them. Instead, you can clone them and make the required edits to the
clones.
l Consider using the IPS both for incoming and outgoing traffic: In modern environments, threats originate from
outside the organization as well as inside. Because of this, you should configure the IPS to examine traffic in both
directions.
l Ensure that SSL inspection is in place so that the IPS can examine all traffic: Without SSL inspection, the IPS will not
detect threats hidden in encrypted traffic.
l Evaluate whether you need to tune your IPS sensors: In general, you should always start with the default actions for
each signature. However, based on the results obtained, you should evaluate whether you can customize the IPS
sensors to better meet the requirements of your environment. This way you can minimize false positives and
improve the performance of your FortiGate.
You have completed this lesson. You are now able to:
l Describe what an intrusion prevention system (IPS) is.
l Explain how an IPS can detect and block malicious activity on a network.
l Configure the FortiGate IPS.
l Describe common best practices when working with an IPS.

FortiGate 7.4 Operator Lesson Scripts 19

Fortinet Technologies Inc.
Controlling Applications Access

Welcome to the Controlling Applications Access lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Understand application control.
l Explain how FortiGate application control works to limit access.
l Configure FortiGate application control.
l Monitor FortiGate application control.
To improve security and meet compliance standards, the application control capability in FortiGate helps enforce
the acceptable use and resulting traffic flow of network applications, as defined in a policy.

Application control can identify network traffic that is generated from specific applications and take the appropriate
actions, such as monitor and block traffic, or apply traffic shaping for all or specific set of users of a firewall policy.

Being able to control the traffic flow of network applications may not be a priority requirement within traditional
client-server architecture that uses a defined connection protocol over a standard port number.

However, the need to control application traffic is becoming increasingly relevant within peer-to-peer architecture
wherein many servers need to send traffic using dynamic ports, such as BitTorrent.

Peer-to-peer protocols use evasive techniques to bypass traditional firewall policies. Therefore, FortiGate
application control involves the matching of known patterns to the transmission patterns of the application.

The database for application control signatures is provided by FortiGuard Labs.

The traffic analysis is performed through the IPS engine, which uses flow-based inspection. So, the pattern match
is performed directly in the entire byte stream of the packet, independently of protocol or port number.

In the Application Control profile, you can configure the application control settings, that must be applied
afterwards in the firewall policy.

In the Application Control profile, the application signatures are grouped by category, and you can set each
category to monitor, allow, block or quarantine.

To provide more granularity, you can configure each application signature or group of application signatures
specifically using the override option. For example, the override option allows you to block Facebook apps while
still allowing users to collaborate using Facebook chat.

To summarize the profile-based configuration of limiting access to specific applications, you can expand each task
to identify the basic recommended process.

First, create an application control profile, or modify a preconfigured one.

Second, modify action in the application categories or configure application override.

Third, select the correct application control profile in the firewall policy.

Fourth, verify the configuration by attempting to access the corresponding application.

Finally, use FortiGate logs to monitor applications access limitation.

You have completed this lesson. You are now able to:

20 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Controlling Applications Access

l Control the use of network applications.

l Explain how FortiGate application control works to limit access.
l Configure FortiGate application control.
l Monitor FortiGate application control.

FortiGate 7.4 Operator Lesson Scripts 21

Fortinet Technologies Inc.
Creating IPsec Virtual Private Networks

Welcome to the Creating IPsec Virtual Private Networks lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Understand what IPsec Virtual Private Networks (VPNs) are and why they are used.
l Understand how FortiGate IPsec VPNs work.
l Configure IPsec VPNs using FortiGate devices.
IPsec is a suite of industry standard protocols that is used to create secure connections between devices located
on different, and often geographically distant, networks. These secure connections are known as virtual private
networks, or VPNs.

Depending on the configuration used, IPsec can provide some or all the following features:
l Data authentication, to verify the source of the data.
l Data integrity, to prevent data tampering.
l Data confidentiality, to encrypt the traffic.
l Anti-replay protection, to prevent replay attacks.
These features are extremely important because, in most implementations, the VPN traffic travels through non-
secure networks like the internet. One important advantage that IPsec VPNs have over other VPN solutions is that
they don’t require the intervention of service providers. All that you need to establish a secure VPN tunnel is IP
reachability between the two ends of the connection.

IPsec can be used to create two types of VPNs: remote access VPNs, and site-to-site VPNs.
l A remote access VPN allows a client device to connect to a remote network. VPNs are commonly used, by
teleworkers who need a secure way to access files and services hosted on their company’s network while at home
or traveling. In remote VPNs, the client always initiates the connection. Remote users typically use a password to log
into their workplace network, but other solutions are supported, including multi-factor authentication (MFA).
FortiGate accepts FortiClient and several products from other vendors as remote VPN clients.
l A site-to-site VPN allows networks in two different physical locations to reach each other securely. For example, a
site-to-site VPN can allow the computers in a branch office to access resources hosted in the HQ building, or even
other branch offices. In site-to-site VPN, either side can initiate the connection. When you use multiple site-to-site
VPN tunnels you can create hub-and-spoke, partial mesh, and full mesh topologies. FortiGate can establish site-to-
site VPNs with other FortiGate devices, as well as with devices from other vendors, including cloud service providers
like AWS and Azure.
In both types of VPNs, after the connection is established, the devices in one network can reach the devices in the
other network. When connected through a VPN, devices in different networks become part of the same logical
network.

Regardless of the IPsec VPN type used, the IKE protocol is used to create the tunnels dynamically. FortiGate
supports the two available versions of IKE: IKEv1 and IKEv2. While IKEv2 includes several security improvements
over IKEv1, the latter is still widely used in many VPN deployments. When using IKEv1, the IPsec VPN process
goes through two stages: Phase 1 and Phase 2.

22 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Creating IPsec Virtual Private Networks

In Phase 1, the two peer devices authenticate with each other and establish a secure channel that they will use to
negotiate the security parameters of Phase 2. This first channel acts as the control plane of the VPN connection.
The peers can be configured with several combinations, or proposals. Each proposal consists of several security
parameters.

For a successful Phase 1, the following parameters must match in at least one of the proposals on each peer
device:
l IKE mode: Main or aggressive
l Authentication
l Encryption algorithm
l Hashing algorithm
l Diffie Helman group
Other parameters don’t need to match because they can be negotiated. Phase 2 can start only after Phase 1
completes successfully.

In Phase 2, both peer devices determine which traffic must be sent over the VPN, and how it will be authenticated
and encrypted. In this phase, a sub-tunnel of the parent Phase 1 tunnel is created. This sub-tunnel acts as the
data plane.

Like in Phase 1, the peers can be configured with several Phase 2 proposals. For a successful Phase 2, the
following parameters must match in at least one proposal on both peers:
l Encryption algorithm
l Hashing algorithm
l Diffie Helman group (only if PFS is used, which is highly recommended)
Other parameters don’t have to match since they can be negotiated.

The traffic that is to be protected must be indicated by listing the local and remote subnets that will communicate
through the tunnel:
l In a remote access VPN, both subnets are configured on the server side.
l In a site-to-site VPN, the subnets on each peer must mirror each other.
IKEv2 was designed with several improvements over IKEv1, both in security and performance. It is the
recommended protocol for new IPsec VPN implementations, unless the available hardware does not support it.
Although it shares many similarities with its predecessor, IKEv2 does not include two phases and it is not
backward compatible with IKEv1.

Some of the benefits of using IKEv2 over IKEv1 include:

l The use of fewer messages reduces the latency and the bandwidth used during the negotiation of the tunnels.
l The use of sequence numbers and acknowledgments in its messages.
l Support of EAP, adds more flexibility, scalability, and interoperability during the authentication process.
l Support of PPK.
l Support of asymmetric authentication, allows the peers to use different authentication methods.
l Support of stronger security algorithms. For example, FortiGate supports PRF-SHA for hashing and AES-GCM for
encryption, both with several bit lengths available.
l Better resilience against DoS attacks

FortiGate 7.4 Operator Lesson Scripts 23

Fortinet Technologies Inc.
 Creating IPsec Virtual Private Networks

FortiGate firewalls support ESP protocol for the authentication and encryption of VPN traffic. ESP provides data
encryption, data integrity, and data origin authentication, but it does not provide identity authentication. However,
identity authentication is provided by IKE during Phase 1 negotiation.

The following table shows some of the most well-known encryption and hashing algorithms supported by ESP in
FortiGate. Click on each value to see more details.
l Data encryption standard or DES is considered weak compared to other encryption algorithms and is not
recommended for use in modern systems.
l Triple data encryption standard or 3DES uses three DES operations in a row to provide a stronger level of
encryption. However, due to its slow performance and its short key length, it is not considered to be the best option.
l Advanced encryption standard or AES is available with several key lengths. The higher the number of bits in the key,
the stronger the encryption achieved. It is currently considered very secure and is the most widely used encryption
algorithm.
l Message digest 5 or MD5 can still be found in some legacy systems and applications, but it is no longer
recommended for use in systems that require strong security.
l Secure hash algorithm 1 or SHA-1 is no longer recommended for use in systems that require strong security, due to
known vulnerabilities.
l Secure Hash Algorithm 2 is more secure than SHA-1. It is available with several bit lengths. The higher the number
of bits used, the more secure the resulting hash will be. It is considered a secure option.
The following are some general best practices that can help you to avoid unexpected issues when configuring
VPNs with FortiGate. Click each tile to learn more.
l Ensure your firewalls have the latest updates and security patches installed. VPNs are one of the most preferred
targets of cybercriminals. An up-to-date firewall minimizes your risk of becoming a victim of cybercrime.
l Use encryption and hashing levels that meet your requirements. Many FortiGate models include specialized content
processors (CPs) that can offload the encryption and decryption operations from the CPU. However, if your device
does not have this capability, remember that the use of stronger encryption and hashing algorithms requires more
CPU resources and that can affect device performance.
l Verify both peers support the same IPsec features. Older devices, or devices from other vendors, may not support
the same levels of encryption, hashing and so on, supported by FortiGate. You should verify which IPsec features
are supported, since they must match to be able to establish an IPsec VPN connection.
l Ensure the needed ports are open in all the firewalls in the traffic path. IKE uses User Datagram Protocol (UDP) port
500 by default, and UDP port 4500 when the VPN device is behind network address translation (NAT). A firewall
blocking these ports, such as those from a service provider, will prevent the establishment of IPsec VPN
connections.
l Select the proper mode when using IKEv1.
l Main mode is more secure but slower. This is the FortiGate default for site-to site VPNs.
l Aggressive mode is less secure but faster. This is the FortiGate default for remote access VPNs.
FortiGate provides an intuitive wizard to help you easily configure IPsec VPNs. The wizard includes several
templates with security settings that are appropriate for the most common scenarios. The security settings include
various proposals combining different levels of AES for encryption, and SHA-2 for hashing. If for legal or
compliance reasons you are required to use specific security parameters, you can create a custom tunnel. This
will allow you to select the specific settings that meet your needs. Another option is to convert a tunnel created
with a template into a custom tunnel so you can edit all its settings.

The FortiGate GUI also makes it very easy for you to monitor VPN tunnels. Not only you can check whether a
tunnel status is up or down, details about traffic volume, and even the status of both Phase 1 and Phase 2 are also
shown. This can be very helpful while troubleshooting. For example, if only the Phase 2 tunnel is not working, it

24 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Creating IPsec Virtual Private Networks

means that the peer devices were able to create the Phase 1 tunnel. Knowing this means that you can discard
lack of connectivity as the reason for the failure. You can proceed to double check that the parameters were
configured correctly on both devices, and that they include at least one matching proposal.

You have completed this lesson. You are now able to:
l Understand what IPsec VPNs are and why they are used.
l Understand how FortiGate IPsec VPN works.
l Configure IPsec VPNs using FortiGate devices.

FortiGate 7.4 Operator Lesson Scripts 25

Fortinet Technologies Inc.
Configuring FortiGate SSL VPN

Welcome to the Configuring FortiGate SSL VPN lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Describe what SSL VPN is and its benefits.
l Describe how FortiGate SSL VPN works.
l Configure FortiGate SSL VPN.
l Apply general best practices when using SSL VPN.
Secure Sockets Layer Virtual Private Network (SSL VPN) is a type of VPN that uses SSL encryption to create a
secure and encrypted connection between a client device and a device acting as a VPN server.

Although SSL VPN is most commonly used to grant remote workers access to their corporate networks, it is also
possible to configure it between two FortiGate firewalls. In this lesson you will learn about the remote access
implementation.

Many organizations opt to use SSL VPN for remote access over the IPsec VPN. However, each technology has its
pros and cons, so you should examine your scenario carefully to make the best choice.

These are some benefits of using SSL VPNs with FortiGate. It is important to note that some of these benefits
apply only to specific configurations. Click each benefit to learn more.
l Use of common protocol: SSL is used to encrypt HTTP traffic and, by default, uses port 443. This means that
typically this traffic is not blocked by intermediate firewalls.
l Flexibility: Depending on the needs of the clients, they may only require a web browser to access a customized web
portal. This is especially useful when dealing with mobile devices. However, the option of installing client VPN
software is also available.
l Granular access: Administrators can easily restrict which resources the clients are allowed to access.
l Integrity checks for Windows clients: This security feature ensures that remote devices connecting to the VPN are
compliant with the security policies of the organization. For example, it can check if the client has antivirus software
installed and deny access if it doesn’t.
l Cost effective: Unlike other vendors, no additional license is required to use SSL VPN. The FortiClient VPN can also
be made available for download at no cost from the SSL portal. Additionally, the number of remote users supported
is determined only by the FortiGate model.
SSL VPNs are available in two modes: web mode and tunnel mode. Based on your requirements, you can deploy
an SSL VPN using one mode or both. Click each mode to learn its details.
l Web mode provides access to web-based applications through a web browser. The user only needs to open the
URL or IP address provided and log in to the web portal. It is important to mention that FortiGate functions as a
reverse web proxy to allow access to applications that are not natively designed to be accessed through the web.
This mode is best suited for users who need to access a limited set of resources, such as web-based applications,
intranet sites, and email, among others. The main advantages of this mode are that it doesn’t require any client
software to be installed, and administrators can provide very granular access to the users. On the downside, since
all the access is through a web page, there is a limited number of applications and protocols supported. Typical
access includes bookmarked URLs, FTP servers, Windows shares, and remote sessions to other systems using
Telnet, SSH, VNC, or RDP.

26 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Configuring FortiGate SSL VPN

l Tunnel mode provides full network access to remote users as if they were physically present on the corporate
network. This mode is best suited for remote workers who need to access a wide range of services, including client-
server applications, file shares, and other typical network resources.The ability to access all kinds of resources is the
big advantage of this mode. However, to enable this, you must install and configure the FortiClient VPN on the
remote device. This may create extra overhead for the support team when dealing with users who are not technically
savvy and are trying to use their own devices.
Configuring SSL VPN requires several steps that vary according to specific requirements. The process is very
simple and involves the following general steps:

Step 1 is to create the users and or groups you want to grant permissions to connect: You can use local users or
any of the supported remote authentication servers for this.

Step 2 is to review and, if needed, edit the SSL VPN portals: FortiGate includes three default SSL VPN portals
configured for web access, tunnel access, or both. You can also create custom portals to meet specific needs for
specific users.

Step 3 is to configure the SSL VPN settings: These settings determine the port number that will be used to receive
connection requests, the SSL certificate to be used, and options specific to each SSL VPN mode. In this step, you
also determine which users will be accessing which portal.

The last step is to create a firewall policy to allow the VPN traffic: In this step, you create the firewall policy that
allows the traffic through the firewall in the same manner as with other policies. One difference here is the use of a
virtual tunnel interface in the From field to refer specifically to the VPN traffic.

The following are some general best practices to keep in mind when working with SSL VPN. Click each tile to
learn more.
l Select the appropriate SSL VPN mode: It may be possible that your users need only one of the SSL VPN modes.
Use SSL VPN portals with the unused SSL mode disabled.
l Reduce administrative effort by using remote authentication servers: Avoid using local users if possible. Having a
centralized authentication solution saves time and prevents human errors. This is especially true in bigger
environments.
l Use a valid SSL certificate: Replace the default self-signed certificate with another one that is trusted by your users’
devices. You can purchase a certificate from a trusted vendor, or you can implement your own PKI infrastructure to
achieve this.
l Use the principle of least privilege when configuring firewall policies for VPN traffic: This is true for any firewall policy,
but it is especially important when you are allowing remote devices to connect to your network.
l Use the client integrity check: For Windows clients, always verify that they have antivirus software, firewall software,
or both, installed.
l If possible, do not allow connections from all locations: This is not always feasible, but it is ideal to restrict access to
connection requests from specific public IP addresses trusted by your organization.
You have completed this lesson. You are now able to:
l Describe what SSL VPN is and its benefits.
l Describe how FortiGate SSL VPN works.
l Apply general best practices when using SSL VPN.
l Configure FortiGate SSL VPN.

FortiGate 7.4 Operator Lesson Scripts 27

Fortinet Technologies Inc.
FortiGate System Maintenance and Monitoring

Welcome to the FortiGate System Maintenance and Monitoring lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Perform common FortiGate maintenance tasks.
l Back up and restore a FortiGate configuration.
l Upgrade FortiGate firmware.
l Monitor FortiGate resource use.
l Examine FortiGate licenses.
l Monitor FortiGate system logs.
Performing regular maintenance on FortiGate firewalls is essential to ensure the security and optimal
performance of your network. Organizations should prioritize these tasks to prevent security breaches, optimize
performance, meet compliance requirements, and ensure business continuity.

The most common maintenance tasks include backing up configurations, performing firmware upgrades,
monitoring system performance, examining licenses, and monitoring event logs.

Every FortiGate administrator should back up their system configurations on a regular basis.

In case of a system or hardware failure, restoring the backup configuration saves time and effort by avoiding
having to reconfigure the firewall from scratch. Configuration backups are also useful when migrating to a new
hardware platform or when troubleshooting issues after unexpected configuration changes.

You can save configuration backups as files on the local PC or, if available, a USB key. To restore a configuration,
you must know where the backup file is stored and upload it using the GUI.

Additionally, if your FortiGate device has at least 512 MB of flash memory, you can store configuration revisions
locally on the firewall and use them to revert quickly to a previous system state.

Fortinet releases new firmware versions regularly to add new features, resolve important issues, and improve
performance. Upgrading the firmware helps FortiGate firewalls to stay up to date on the latest security threats and
ensures optimal performance.

In version 7.2 and later, new FortiOS firmware uses a tag to indicate its maturity level. A letter F, for Features,
indicates that the firmware includes new features, and a letter M, for Mature, indicates that the release doesn’t
include any new major features.

FortiGate firewalls with a firmware upgrade license display a notification when new firmware is released, and
provide the option to install it. Using this method, FortiGate downloads and installs the upgrade automatically.

Alternatively, you can download the firmware file manually from the Fortinet support portal and perform the
upgrade using the downloaded file. In this case, it is important to ensure that the firmware you download is
compatible with the FortiGate model, and that you follow the supported upgrade path.

While performing the upgrade, you are prompted to back up your configuration. It is highly recommended that you
create a configuration backup before upgrading the current firmware, in the unlikely event that something goes
wrong during the process.

28 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
FortiGate System Maintenance and Monitoring

If you must upgrade to a specific firmware version but there are several intermediate versions between your
current version and the version you are upgrading to, it is important to follow a supported upgrade path to ensure a
successful upgrade process.

The upgrade path is the recommended sequence of firmware upgrades that you should follow when updating a
FortiGate device. This sequence is provided by Fortinet. It ensures that the new version is compatible, and
guarantees the stability of your device.

To let FortiGate follow the recommended upgrade path automatically, you can select the desired firmware version
under All Upgrades.

In this example, FortiGate upgrades automatically from version 7.2.1 to 7.2.3 before performing the final upgrade
to 7.4.0

If you are performing the upgrade manually, you should check the Upgrade Path Tool provided by Fortinet. This is
an online utility that allows you to easily find the recommended sequence of firmware versions for your specific
platform.

Monitoring the performance of FortiGate helps to ensure that it is functioning correctly, and that its hardware is
adequately sized to handle the network traffic. You don’t want an overloaded or underused firewall.

In general, you should always monitor CPU and memory use. However, you should also keep an eye on the
available disk space, especially if your traffic logs are stored locally. By monitoring these key resources, you can
identify potential bottlenecks or performance issues.

In most cases, you should also monitor other non-hardware parameters for a complete overview of your firewall’s
performance. For example, you can monitor the number of sessions, how many logs are being generated per
second, and the number of connected VPN users.

Out of the box, the GUI includes several widgets that you can use to monitor these resources in real time. You can
add or remove widgets as needed, and change their settings and layout.

FortiGate firewalls require licenses to function. Different licenses provide access to a variety of features and
services, such as technical support, antivirus, web filtering, and IPS.

You can view the status of your FortiGate license in two locations: On the GUI, by clicking System, and then
FortiGuard, and in the Licenses widget on the dashboard. Each feature indicates whether its corresponding
license is valid and displays its expiration date.

To prevent disruptions in network services, avoid legal issues, and maintain compliance, it is important to renew
all licenses before they expire.

An expired license stops FortiGate from receiving software updates and technical support. Some features may
keep running during a grace period, while others stop running completely.

FortiGate logs provide essential information about the firewall's activity, including network traffic, security events,
and system events. Monitoring your logs regularly can help you to identify potential security threats, troubleshoot
issues, and provide insights into network and system performance.

FortiGate provides a user-friendly web interface to view logs.

All logging information is located under Log and Report. The GUI includes several log categories to make it easy
to find the logs of interest. To display only specific logs, you can use filters based on any of the fields included in
each log.

The System Events and Security Events sections provide a summary page in addition to the usual log entries.

You have completed this lesson. You are now able to:

FortiGate 7.4 Operator Lesson Scripts 29

Fortinet Technologies Inc.
 FortiGate System Maintenance and Monitoring

l Perform common FortiGate maintenance tasks.

l Back up and restore a FortiGate configuration.
l Upgrade FortiGate firmware.
l Monitor FortiGate resource use.
l Examine FortiGate licenses.
l Monitor FortiGate system logs.

30 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
Configuring the Fortinet Security Fabric

Welcome to the Configuring the Fortinet Security Fabric lesson.

Click Next to get started.

After completing this lesson, you will be able to achieve these objectives:
l Describe the importance and benefits of implementing the Fortinet Security Fabric.
l Describe how the Fortinet Security Fabric works to protect your network and simplify network administration.
l Configure the Security Fabric.
Today's networks are more complex than ever, with a wide variety of devices, applications, and services
connecting and sending traffic through them. Managing the security of such scenarios using a case-by-case
approach can be a challenge, and it is no longer a feasible way to defend your organization from all threats.

The Fortinet Security Fabric is an enterprise architecture that helps manage this complexity by providing a single-
pane-of-glass view of the organization's security posture. This enables security teams to quickly identify and
respond to security threats. The Security Fabric provides integrated, automated, and coordinated security across
the organization's entire network infrastructure.

These are a few benefits of using the Fortinet Security Fabric. Click each benefit to learn more.
l A unified view of the entire network from a single console: The network logical and physical topologies are provided.
These topologies show all devices in the fabric, how they are interconnected, as well as their security details and the
interfaces used to communicate with other fabric members.
l Synchronization of various object types across the fabric: This guarantees consistency among all the device
members of the fabric.
l A security rating to inform you about potential vulnerabilities and how they can be eliminated: This is a numerical
value, or score, based on the device settings detected across the fabric. This score is updated automatically at
scheduled intervals, or manually. Every time you implement any of the suggested best practices, the score is also
updated. The higher the score, the better the security posture.
l Integration with many device types: This includes Fortinet devices, as well as devices and platforms from other
vendors through an API.
l Automatic detection of end devices: New endpoint devices are automatically detected, identified, and added to the
topology. Devices with FortiClient installed provide better integration with the fabric.
l Centralized management of firmware upgrades of all FortiGate, FortiAP and FortiSwitch devices from the root
FortiGate: Upgrades can be done immediately or scheduled and, in the case of FortiGate, the correct upgrade path
is followed, if necessary.
l Automation capabilities: The network is constantly monitored, and automatic actions can be taken when threats are
detected without the intervention of administrators.
l When a computer running FortiClient detects a malicious website, it sends a log to FortiAnalyzer.
l FortiAnalyzer discovers an indicator of compromise (IOC) and notifies FortiGate.
l FortiGate instructs the endpoint management server (EMS) to quarantine that computer.
l The EMS server sends the quarantine message to the computer.
l The computer quarantines itself and notifies FortiGate and the EMS server of its status change.
l FortiGate sends a notification to a Microsoft Teams channel.

FortiGate 7.4 Operator Lesson Scripts 31

Fortinet Technologies Inc.
 Configuring the Fortinet Security Fabric

To implement the Fortinet Security Fabric, you need a minimum of two FortiGate firewalls running in NAT mode.
One of the FortiGate devices acts as the root firewall of the fabric. You must also centralize logging. This requires
one FortiAnalyzer, or a supported cloud logging solution. FortiAnalyzer Cloud or FortiGate Cloud can act as the
cloud logging solution.

Depending on your scenario, and to increase your visibility and control of the network, it is recommended to also
add FortiManager, FortiAP, FortiClient, FortiClient EMS, FortiSandbox, FortiMail, FortiWeb, FortiNDR,
FortiDeceptor, and FortiSwitch. Each one of these devices adds new capabilities to the security team. For
example, FortiManager can simplify the deployment of security policies among all or specific FortiGate firewalls.

Additionally, you can extend your fabric further with other optional Fortinet devices, and even several third-party
products.

Configuring the Fortinet Security Fabric consists of the following steps:

l Step 1 is to configure FortiAnalyzer, or one of the supported cloud logging platforms, to accept logs from devices in
the fabric.
l Step 2 is to configure the FortiGate device that will act as the fabric root: This step includes configuring the logging
settings, the required interfaces, and the Security Fabric connector.
l Step 3 is to configure the downstream devices: In the case of downstream FortiGate devices, this step includes
configuring the required interfaces and the Security Fabric connector to point to the root device. You don’t need to
configure the logging settings because they are inherited from the root. Requirements for other devices vary
depending on their type.
l The last step, step 4 is to authorize downstream devices from the root firewall: You must authorize any device, either
manually added to the Security Fabric or automatically detected, on the root FortiGate. Optionally, you can pre-
authorize devices if you know their details.
You have completed the lesson. You are now able to:
l Understand the importance and benefits of implementing the Fortinet Security Fabric.
l Understand how the Fortinet Security Fabric works to protect your network and simplify network administration.
l Configure the Security Fabric.

32 FortiGate 7.4 Operator Lesson Scripts

Fortinet Technologies Inc.
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.