Objective: 1

Section: Lab Topology

Title: Understanding the Lab Topology
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Fortinet Fast Tracks
Fortifying The Enterprise Network with Fortinet NGFW Solution

Enterprise Office: Internet

FortiGate-Edge Malware
Server (John-Hacker)
FortiAnalyzer
Windows Server 2012 R2 (Bob-Client)
Jumpbox Server (Network Admin)
 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 2
Section: SSL Inspection
Title: Configure SSL/SSH Inspection profile
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
This objective of this lab exercise is to configure the SSL/SSH Inspection profile for
Deep Packet Inspection.

Configure SSL/SSH Inspection Profile

1. Login into the Jumpbox server as User1 (FortiFIED). From your Jumpbox
browser, login to the FortiGate-Edge at 192.168.0.101 by using the browser
bookmark.

NOTE: Unless otherwise indicated all username/passwords for the various web
consoles are:

Username: admin Password: Fortinet1!

2. Go to Security Profiles > SSL/SSH Inspection.

3. Click and Edit > custom-deep-inspection profile.

4. Enable SSL inspection on ports HTTPS, SMTPS, POP3S and IMAPS.

5. Click Apply.
 ----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 0

Hint Text:

----------------------- Hint 2 Section -----------------------

Hint: 2 Points: 0

Hint Text:

----------------------- Answer Section -----------------------

Answer: none
Answer Text:

Answer Key:
Objective: 3
Section: Intrusion Prevention System
Title: Configure IPS Sensor and Firewall Policy
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
A hacker John is sitting on the Malware server somewhere on the Internet.
Let’s say John did a random port scan over the Internet and found out that port
3389 to RDP into one of the internal hosts is open on IP address 10.150.0.3
(FortiGate-Edge's external IP).

Note: TCP port 3389 is open on the FortiGate-Edge to allow RDP access to the
Windows Server 2012 over the Internet for Enterprise office Employees.

Now, John (hacker) obviously doesn't know the correct username and password
to authenticate against the Windows Server 2012. So, he opens a RDP client on
the Malware Server and starts trying random usernames and passwords to get
access to the Windows Server 2012 R2.

The objective of this Lab Exercise is to stop John (hacker) from being successful in
gaining RDP access to the Windows Server 2012 R2.

Configure IPS Sensor

1. From the Jumpbox server’s web browser, login into the FortiGate-Edge.

2. Go to Security Profiles > Intrusion Prevention.

3. Edit default IPS sensor.

4. Scroll down to Rate Based Signatures.

5. Locate MS.RDP.Connection.Brute.Force signature from the list of Rate Based

Signatures.
 Note: The following configuration may require the user to maximize the
browser window in order to view and configure the settings.

6. Enable the MS.RDP.Connection.Brute.Force signature.

7. Edit the configuration as follows:

 Threshold: 3
 Duration (seconds): 120 seconds
 Track By: Source IP
 Action: Block
 Block Duration (minutes): 3 minutes

8. Click Apply.

Apply IPS sensor to Firewall Policy

1. Go to Policy & Objects > IPv4 Policy.

2. Edit RDP Server Policy.

3. Enable IPS sensor default.

4. Choose SSL Inspection > custom-deep-inspection.

5. Click OK to save the policy.

 ----------------------- Answer Section -----------------------

Answer: none
Answer Text:

Answer Key:
Objective: 4
Section: Intrusion Prevention System
Title: Execute RDP Brute Force Attack
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Execute RDP.Connection.Brute.Force.Attack

Now think yourself as John (hacker):

1. Go to the Malware server via Cloudshare tab.

2. Click on the Remote Desktop Client icon located on the Linux desktop to open
the RDP client.

3. Double-click on the RDP_BruteForce_Attack to carry out the attack.

4. Once failed to connect to the RDP server, click Ok.

5. Double-click on the RDP_BruteForce_Attack icon again in this manner to carry
out the attack for 3-4 more times.
Note: We are trying to gain RDP access to Windows Server using random
username & password

6. After 3 failures, RDP connection will be reset by the FortiGate's IPS sensor.

----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 5
Section: Intrusion Prevention System
Title: Verify IPS Results
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
We will now verify the results of the RDP.Connection.Brute.Force attack on the
FortiGate-Edge.

Verify IPS Results

1. Login into the FortiGate-Edge.

2. Go to Monitor > Quarantine Monitor and verify the results.

3. The Malware server’s IP address 10.150.0.254 should have been banned and
blocked access for next 3 minutes by the FortiGate-Edge RDP Server policy
Default IPS sensor.
Note: We have set the block duration to 3 minutes only. A firewall admin can
permanently block this IP address.

4. Click on Remove All on top to remove this IP address from banned IP address
list as we need the Malware server for our next lab exercise.

5. Click OK to remove the entry.

6. Go to Log & Report > Intrusion Prevention.

7. Double-click on the IPS log entry.

8. Verify the log details carefully such as Source , Destination, Action and Attack
name.

Stop and Think:

From the following choices, select all the ways we could deny John (Malware
Server) from gaining RDP access to the Windows Server? (Select all that apply)

Configure:

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 1

Hint Text:
Hint 1:

IPv4 Deny policy with source addr as IP address of the Malware server and destination address
as ‘all’ will not help here.

The destination address in the deny policy has to match the Port forwarding VIP/Virtual IP
address.

----------------------- Hint 2 Section -----------------------

Hint: 2 Points: 1

Hint Text:
Hint 2:

Application control sensor set to block ‘Unknown’ applications will not block RDP Brute Force
attack.

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:
Correct Answer:

B, D

IPv4 Deny policy on top with source addr as IP address of the Malware server and destination
address matching the RDP server virtual IP.

IPS sensor with Rate based MS_RDP_Connection_BruteForce signature's action set to ‘Block’
applied on the RDP server Virtual IP policy.

Answer Key:
✘ 1. An application control profile only set to block unknown applications
applied on the RDP server Virtual IP policy.
✔ 2. IPv4 Deny policy on top with source addr as IP address of the Malware
server and destination address matching the RDP server virtual IP.
✘ 3. IPv4 Deny policy on top with source addr as IP address of the Malware
server and destination addr as ‘all’.
✔ 4. IPS sensor with Rate based MS_RDP_Connection_BruteForce signature's
action set to ‘Block’ applied on the RDP server Virtual IP policy.
Objective: 6
Section: Inspection Mode Per Policy
Title: Change Inspection Mode on IPv4 Policy
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Most of the FortiGate NGFW UTM features (AV, web filtering etc.) can work in
either Flow mode or Proxy mode.
FortiOS default Inspection mode is Flow-based.
With FortiOS 6.2, choosing desired Inspection mode (Flow vs Proxy) is now
available per-policy. With the FortiGate FortiOS operating in default Flow-mode,
one now has the flexibility to change/choose desired (Flow Or Proxy) inspection
mode on individual policies appropriate for the traffic. In the previous versions of
FortiOS, the Inspection mode could be configured per VDOM only.
Change Inspection mode on Internet Policy from Flow-based > Proxy-based
1. Navigate to Policy & Objects > IPv4 Policy.

2. Edit Internet policy.

Note: For this Hands-on lab exercise, we will edit and change the Inspection
mode on the same Internet policy. In real world, you might want to create a
new Proxy-based policy based upon your requirement.

3. Change the Inspection Mode > Proxy-based.

4. Click OK to save the policy.

 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 7
Section: Antivirus
Title: Configure CDR Antivirus feature and Firewall Policy
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Since John (hacker) sitting on the Malware Server was unable to get RDP access to
the Windows Server, he now starts looking into various other ways of infecting
the Windows Server 2012 located on the Enterprise Network.

Let's say John was able to steal the email of [email protected] via one of his
personal contacts. If you remember, Bob is a client sitting on the Windows Server
2012 R2. John will now try to send some malicious files via Phishing Email to Bob
who is sitting on the Windows Server.

Verify Malicious Files

1. Go to the Malware Server via Cloudshare tab.

2. Open Malicious Files folder on desktop.

There are 2 files in this folder as follows:

A. Registration Instructions PDF file:

Open this file and read.
Click on the link provided in the file. This is just to illustrate that there is a phishing
website link provided in this file.
John will send this file to [email protected] (Windows Server 2012) via Phishing
Email and ask Bob to register to this link by providing his personal information.

B. ZHVO Application:
This MS DOS application is band new zero day malware sample that has not been
detected yet by the FortiGuard Threat Intelligence and is therefore unknown to
the FortiGate's NGFW AV signature database.

Note: We will test this virus sample as a part of our next Virus Outbreak
Prevention lab exercise. For this particular lab objective, please focus on
Registration Instructions PDF file only.
The objective of this Lab Exercise is to Sanitize John’s (hacker) attack email by
removing the phishing website link in the email attachment via FortiGate’s CDR
(Content Disarm and Reconstruction) Antivirus feature before Bob receives it.

Configure Content Disarm and Reconstruction Antivirus feature

1. Go to Security Profiles > Antivirus.

2. Edit antivirus profile default .

3. Enable Content Disarm and Reconstruction.

4. Click Apply.
Enable Antivirus profile ‘default’ on the Internet Policy

1. Go to Policy & Objects > IPv4 Policy.

2. Edit Internet (Port2-to-Port1) policy.

3. Enable Antivirus profile default.

4. Choose SSL Inspection > custom-deep-inspection.

5. Click OK to save the policy.

 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 8

Section: Antivirus

Title: Send Malicious File to Bob (Windows Server 2012)

Points: 0

----------------------- Objective Section -----------------------

Objective Text:

We will now send attack email to [email protected] with file attachment.

Send Malicious File to Bob (Windows Server 2012) via Email

Think yourself as John (hacker):

1. Go to the Malware Server via Cloudshare tab.

2. Open Mozilla Thunderbird email client on the Linux desktop.

3. Click on Write tab located on top to compose a new email.

4. In the email To, type Bob's email address [email protected].

5. Enter an email Subject > Register Now.

6. Click Attach (top right corner) and attach the Registration Instructions file
ONLY by browsing to the Malicious Files folder on the desktop.

7. Send the Email by clicking on Send button (top left corner).

 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 9
Section: Antivirus
Title: Verify CDR Results
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Let's verify if John (hacker) has been successful in sending the phishing website
link embedded in the Registration Instructions file email attachment to Bob.

Verify CDR Results

1. Go to the Windows server 2012 via Cloudshare tab.

2. Open Mozilla Thunderbird email client on Desktop.

Note: If prompted with a certificate issue, please confirm security exception

3. Click on ‘Get Messages’ tab located at top left corner incase the Inbox is empty.

3. Open the email with subject ‘Register Now’.

4. Click to open on the Registration Instructions pdf file attachment in this email.

5. Read it carefully and scroll down to next page to view the

sanitized/reconstructed content.

6. Click on the hyperlink embedded under word ‘here’ in the pdf file (It resolved to
a phishing website in the original document sent by John-hacker).
Note: You will find that the malicious web link has been removed.The PDF has
been successfully sanitized and disarmed by CDR antivirus feature of the
FortiGate-Edge.

7. Close Mozilla Thunderbird email client and the PDF file as well.

Stop and think

From the following choices, what all can be successfully disarmed by the CDR
feature of FortiOS? (Select all that apply)

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 1

Hint Text:
Verify the 'default' antivirus profile configuration as follows:

Click on the CLI console >_ symbol located at top right and type in the following
commands:

# config antivirus profile

# edit default
# config content-disarm
# show full

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:
Correct Answer:

A, B, C, D, E

Stripping of macros in Microsoft Office documents.

Stripping of hyperlinks in Microsoft Office documents.

Stripping of JavaScript code in PDF documents.

Stripping of actions that execute JavaScript code in PDF documents.

Stripping of embedded files in PDF documents.

Answer Key:
✔ 1. Stripping of macros in Microsoft Office documents.
✔ 2. Stripping of hyperlinks in Microsoft Office documents.
✔ 3. Stripping of JavaScript code in PDF documents.
✔ 4. Stripping of actions that execute JavaScript code in PDF documents.
✔ 5. Stripping of embedded files in PDF documents.
Objective: 10
Section: Antivirus
Title: Configure External Malware Threat Feed Fabric Connector and VOB to use
External Malware Block List
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
External Block List (Threat Feed) – File Hashes
FortiOS 6.2 adds a new type of Threat Feed connector that supports a list of file
hashes and can be used to strengthen the Virus Outbreak Prevention service. This
feature allows users to incorporate external third party dynamic Malware hash
block lists into their FortiGate antivirus scanning by specifying URI to an external
server.
Configure Malware Hash Threat Feed Fabric Connector

1. Go to Security Fabric > Fabric Connectors.

2. Click Create New.

3. Scroll down to Threat Feeds section.

4. Click on Malware Hash icon.

5. Configure the connector settings as follows:

 Name: External Malware Threat Feed
  URI of external resource: http://10.150.0.254/hashfile.txt
Note: ‘hashfile.txt’ is a text file that contains the list of manually entered
hash values and is located on an external server. A network security admin
can add multiple hash entries to this list and it will automatically update
FortiGate’s AV signature database after each refresh interval. For Ex: If a
brand new zero day malware sample unknown to the FortiGate's NGFW AV
signature database has been detected by a security expert, the file hash of
that zero day malware can be easily incorporated into the FortiGate’s AV
signature database.
 HTTPS basic authentication: Disable
 Refresh Rate: 1
 Status: Enable

6. Click OK to save the settings.

7. Initially, the connector will be in down status (red).

8. Click on refresh button a few times until the status changes to green.

9. Once the connector is up, right-click on the Fabric connector.

10. Click View Entries to see the list of hashes that have been successfully
downloaded from the external_hashfile.txt into FortiGate’s Antivirus database.

Note: For this lab test, we have only added one hash value in the External
‘hashfile.txt’

Configure Antivirus profile to use External Malware Block List

1. Go to Security Profiles > Antivirus.

2. Edit Antivirus profile > default.

3. Under Virus Outbreak Prevention section, enable Use External Malware Block
List.

4. Click Apply.
 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 11

Section: Antivirus

Title: Downlaod Malware sample

Points: 0

----------------------- Objective Section -----------------------

Objective Text:

Download ‘zhvo.com’ Malware sample File

‘zhvo.com’ is a virus sample file stored on Malware server.

1. Go to Windows Server via Cloudshare tab.
2. Open IE web browser.
3. Click on Malware_Test_File browser bookmark to download the zhvo virus
sample file from the Malware server.
4. You will be presented with a High Security Alert page block page and the
download fails.
5. The file is successfully blocked because we incorporated external Malware
hash matching the zhvo virus sample into FortiGate’s AV scanning service via
External Malware Threat Feed Fabric connector configured previously.
6. Close the IE web browser.
 ----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 12
Section: Automation
Title: Configure User Defined Automation (Ban Compromised Host)
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
John (hacker) has failed miserably until now in gaining access to the Window
Server 2012 in the Enterprise Office.

John still doesn't loose hope. He gets in touch with one of the Enterprise Office
employee and is successful in convincing him/her to install a malicious software
code on Bob’s Windows Server 2012 client machine via USB stick.

The malicious software is actually a .BAT file that will try to visit and download
content from phishing and malicious websites once executed.

The objective of this Lab Exercise is to configure a very strong feature of FortiOS:
User Defined Automation which will ban the Compromised Host IP (Windows
Server 2012) automatically and stop it from further propagating the threat.

Configure User Defined Automation

1. Login into the FortiGate-Edge.

2. Go to Security Fabric > Automation.

3. Click Create New Automation Stitch

4. Type a Name > Compromised Host

5. Make sure Status is Enabled and All FortiGates option beside FortiGate is
selected.

6. Select the Trigger > Compromised Host.

Note: If you see Configure FortiAnalyzer warning, please ignore it as we already
 have FAZ setup.

7. Choose the Action > IP Ban.

8. Click OK to apply the configuration.

Apply Web Filter profile to Firwall Policy for detecting Malicious Web Traffic

1. Go to Policy & Objects > IPv4 Policy.

2. Edit Internet policy (port2-to-port1).

3. Enable Web Filter profile > default.

4. Click OK to save the policy.

----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
Objective: 13
Section: Automation
Title: Execute Malicious BAT file
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Bob was unaware of the Malicious code installed on the Windows Server 2012
and one day, he inadvertently executes the code as follows:

Execute Malicious BAT file

1. Go to Windows Server 2012 via Cloudshare tab.

2. Open the command prompt app on desktop.

3. Type hello in the command prompt window.

4. Hit Enter to execute the BAT file.

The code will try to connect and retrieve content from malicious websites.
Let the program run in the background and you can move on to stop and think
question.
Stop and Think

How is a Compromised Host identified in the Security Fabric? (Select one that
apply)

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 1

Hint Text:
Hint 1:
This is a service offered by FortiAnalyzer. FortiAnalyzer identifies compromised hosts by checking the
logs of each end user against its threat database. When a threat match is found, a threat score is given
to the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end
user and gives its verdict.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:
Correct Answer:

FortiAnalyzer analyzes the traffic logs, identifies the compromised host via the Indicator of
Compromise (IOC) license service and sends the verdict to the Root FortiGate in the security
Fabric.

Answer Key:
✘ 1. Root FortiGate in the Security Fabric identifies the compromised host itself
✔ 2. FortiAnalyzer analyzes the traffic logs, identifies the compromised host via
the Indicator of Compromise (IOC) license service and sends the verdict to the
Root FortiGate in the security Fabric.
✘ 3. FortiClient installed on the host machine identifies and sends the
Compromised host verdict to the Root FortiGate in the Security Fabric.
✘ 4. Device Detection enabled on the local interface identifies the
compromised host and send the information to the Root FortiGate.
Objective: 14
Section: Automation
Title: Verify Automation Results
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Automation defies the need of manual intervention by a network admin in order
to detect threats inside the network. That's what it has been designed to do at
the first place.

As a network admin, let's just relax for 1-2 minutes (approx).

We will let the FortiGate-Edge handle the threat by itself via the Automation
stitches.

After 2 minutes have passed, we can go ahead and verify the action taken by
Automation Stitch configured on the FortiGate-Edge.

Verify Automation Results

1. Login to the FortiGate-Edge.

2. Go to Security Fabric > Physical Topology.

3. Please make sure that the time period is set to 5 minutes in the top right
corner.

4. Verify the Compromised host highlighted with an IP-ban circle surrounding it.
5. Move the mouse pointer over compromised host icon and verify host
information.

6. Go to Monitor > Quarantine Monitor.

7. Verify the Banned IP address.

8. Go to Windows Server 2012 again via Cloudshare tab.

9. Open the IE web browser.

10. You will find that Bob's Windows Server 2012 IP address (10.10.3.150) has
been banned from the network automatically to restrict it from further
propagating the threat.

----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key:
 Objective: 15
Section:
Title: Completion
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

You have successfully completed the Fortinet

NGFW Fast Track Hands On Lab Training

Thank You

To get more information on this or other Fortinet solutions, please consider

taking a look at Fortinet's NSE training.
----------------------- Answer Section -----------------------

Answer: none

Answer Text:

Answer Key: