FFT - Fortifying The Enterprise Network With NGFW v6.2 r1 Lab - Guide
FFT - Fortifying The Enterprise Network With NGFW v6.2 r1 Lab - Guide
Answer: none
Answer Text:
Answer Key:
Objective: 2
Section: SSL Inspection
Title: Configure SSL/SSH Inspection profile
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
This objective of this lab exercise is to configure the SSL/SSH Inspection profile for
Deep Packet Inspection.
1. Login into the Jumpbox server as User1 (FortiFIED). From your Jumpbox
browser, login to the FortiGate-Edge at 192.168.0.101 by using the browser
bookmark.
NOTE: Unless otherwise indicated all username/passwords for the various web
consoles are:
5. Click Apply.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 0
Hint Text:
Hint: 2 Points: 0
Hint Text:
Answer: none
Answer Text:
Answer Key:
Objective: 3
Section: Intrusion Prevention System
Title: Configure IPS Sensor and Firewall Policy
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
A hacker John is sitting on the Malware server somewhere on the Internet.
Let’s say John did a random port scan over the Internet and found out that port
3389 to RDP into one of the internal hosts is open on IP address 10.150.0.3
(FortiGate-Edge's external IP).
Note: TCP port 3389 is open on the FortiGate-Edge to allow RDP access to the
Windows Server 2012 over the Internet for Enterprise office Employees.
Now, John (hacker) obviously doesn't know the correct username and password
to authenticate against the Windows Server 2012. So, he opens a RDP client on
the Malware Server and starts trying random usernames and passwords to get
access to the Windows Server 2012 R2.
The objective of this Lab Exercise is to stop John (hacker) from being successful in
gaining RDP access to the Windows Server 2012 R2.
1. From the Jumpbox server’s web browser, login into the FortiGate-Edge.
Threshold: 3
Duration (seconds): 120 seconds
Track By: Source IP
Action: Block
Block Duration (minutes): 3 minutes
8. Click Apply.
Answer: none
Answer Text:
Answer Key:
Objective: 4
Section: Intrusion Prevention System
Title: Execute RDP Brute Force Attack
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Execute RDP.Connection.Brute.Force.Attack
2. Click on the Remote Desktop Client icon located on the Linux desktop to open
the RDP client.
6. After 3 failures, RDP connection will be reset by the FortiGate's IPS sensor.
Answer: none
Answer Text:
Answer Key:
Objective: 5
Section: Intrusion Prevention System
Title: Verify IPS Results
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
We will now verify the results of the RDP.Connection.Brute.Force attack on the
FortiGate-Edge.
3. The Malware server’s IP address 10.150.0.254 should have been banned and
blocked access for next 3 minutes by the FortiGate-Edge RDP Server policy
Default IPS sensor.
Note: We have set the block duration to 3 minutes only. A firewall admin can
permanently block this IP address.
4. Click on Remove All on top to remove this IP address from banned IP address
list as we need the Malware server for our next lab exercise.
8. Verify the log details carefully such as Source , Destination, Action and Attack
name.
Configure:
Hint: 1 Points: 1
Hint Text:
Hint 1:
IPv4 Deny policy with source addr as IP address of the Malware server and destination address
as ‘all’ will not help here.
The destination address in the deny policy has to match the Port forwarding VIP/Virtual IP
address.
Hint: 2 Points: 1
Hint Text:
Hint 2:
Application control sensor set to block ‘Unknown’ applications will not block RDP Brute Force
attack.
Answer Text:
Correct Answer:
B, D
IPv4 Deny policy on top with source addr as IP address of the Malware server and destination
address matching the RDP server virtual IP.
IPS sensor with Rate based MS_RDP_Connection_BruteForce signature's action set to ‘Block’
applied on the RDP server Virtual IP policy.
Answer Key:
✘ 1. An application control profile only set to block unknown applications
applied on the RDP server Virtual IP policy.
✔ 2. IPv4 Deny policy on top with source addr as IP address of the Malware
server and destination address matching the RDP server virtual IP.
✘ 3. IPv4 Deny policy on top with source addr as IP address of the Malware
server and destination addr as ‘all’.
✔ 4. IPS sensor with Rate based MS_RDP_Connection_BruteForce signature's
action set to ‘Block’ applied on the RDP server Virtual IP policy.
Objective: 6
Section: Inspection Mode Per Policy
Title: Change Inspection Mode on IPv4 Policy
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Most of the FortiGate NGFW UTM features (AV, web filtering etc.) can work in
either Flow mode or Proxy mode.
FortiOS default Inspection mode is Flow-based.
With FortiOS 6.2, choosing desired Inspection mode (Flow vs Proxy) is now
available per-policy. With the FortiGate FortiOS operating in default Flow-mode,
one now has the flexibility to change/choose desired (Flow Or Proxy) inspection
mode on individual policies appropriate for the traffic. In the previous versions of
FortiOS, the Inspection mode could be configured per VDOM only.
Change Inspection mode on Internet Policy from Flow-based > Proxy-based
1. Navigate to Policy & Objects > IPv4 Policy.
Answer: none
Answer Text:
Answer Key:
Objective: 7
Section: Antivirus
Title: Configure CDR Antivirus feature and Firewall Policy
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Since John (hacker) sitting on the Malware Server was unable to get RDP access to
the Windows Server, he now starts looking into various other ways of infecting
the Windows Server 2012 located on the Enterprise Network.
Let's say John was able to steal the email of [email protected] via one of his
personal contacts. If you remember, Bob is a client sitting on the Windows Server
2012 R2. John will now try to send some malicious files via Phishing Email to Bob
who is sitting on the Windows Server.
B. ZHVO Application:
This MS DOS application is band new zero day malware sample that has not been
detected yet by the FortiGuard Threat Intelligence and is therefore unknown to
the FortiGate's NGFW AV signature database.
Note: We will test this virus sample as a part of our next Virus Outbreak
Prevention lab exercise. For this particular lab objective, please focus on
Registration Instructions PDF file only.
The objective of this Lab Exercise is to Sanitize John’s (hacker) attack email by
removing the phishing website link in the email attachment via FortiGate’s CDR
(Content Disarm and Reconstruction) Antivirus feature before Bob receives it.
4. Click Apply.
Enable Antivirus profile ‘default’ on the Internet Policy
Answer: none
Answer Text:
Answer Key:
Objective: 8
Section: Antivirus
Points: 0
Objective Text:
6. Click Attach (top right corner) and attach the Registration Instructions file
ONLY by browsing to the Malicious Files folder on the desktop.
Answer: none
Answer Text:
Answer Key:
Objective: 9
Section: Antivirus
Title: Verify CDR Results
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Let's verify if John (hacker) has been successful in sending the phishing website
link embedded in the Registration Instructions file email attachment to Bob.
3. Click on ‘Get Messages’ tab located at top left corner incase the Inbox is empty.
4. Click to open on the Registration Instructions pdf file attachment in this email.
6. Click on the hyperlink embedded under word ‘here’ in the pdf file (It resolved to
a phishing website in the original document sent by John-hacker).
Note: You will find that the malicious web link has been removed.The PDF has
been successfully sanitized and disarmed by CDR antivirus feature of the
FortiGate-Edge.
7. Close Mozilla Thunderbird email client and the PDF file as well.
Hint: 1 Points: 1
Hint Text:
Verify the 'default' antivirus profile configuration as follows:
Click on the CLI console >_ symbol located at top right and type in the following
commands:
Answer: checkbox
Answer Text:
Correct Answer:
A, B, C, D, E
Answer Key:
✔ 1. Stripping of macros in Microsoft Office documents.
✔ 2. Stripping of hyperlinks in Microsoft Office documents.
✔ 3. Stripping of JavaScript code in PDF documents.
✔ 4. Stripping of actions that execute JavaScript code in PDF documents.
✔ 5. Stripping of embedded files in PDF documents.
Objective: 10
Section: Antivirus
Title: Configure External Malware Threat Feed Fabric Connector and VOB to use
External Malware Block List
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
External Block List (Threat Feed) – File Hashes
FortiOS 6.2 adds a new type of Threat Feed connector that supports a list of file
hashes and can be used to strengthen the Virus Outbreak Prevention service. This
feature allows users to incorporate external third party dynamic Malware hash
block lists into their FortiGate antivirus scanning by specifying URI to an external
server.
Configure Malware Hash Threat Feed Fabric Connector
10. Click View Entries to see the list of hashes that have been successfully
downloaded from the external_hashfile.txt into FortiGate’s Antivirus database.
Note: For this lab test, we have only added one hash value in the External
‘hashfile.txt’
3. Under Virus Outbreak Prevention section, enable Use External Malware Block
List.
4. Click Apply.
----------------------- Answer Section -----------------------
Answer: none
Answer Text:
Answer Key:
Objective: 11
Section: Antivirus
Points: 0
Objective Text:
Answer: none
Answer Text:
Answer Key:
Objective: 12
Section: Automation
Title: Configure User Defined Automation (Ban Compromised Host)
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
John (hacker) has failed miserably until now in gaining access to the Window
Server 2012 in the Enterprise Office.
John still doesn't loose hope. He gets in touch with one of the Enterprise Office
employee and is successful in convincing him/her to install a malicious software
code on Bob’s Windows Server 2012 client machine via USB stick.
The malicious software is actually a .BAT file that will try to visit and download
content from phishing and malicious websites once executed.
The objective of this Lab Exercise is to configure a very strong feature of FortiOS:
User Defined Automation which will ban the Compromised Host IP (Windows
Server 2012) automatically and stop it from further propagating the threat.
5. Make sure Status is Enabled and All FortiGates option beside FortiGate is
selected.
Apply Web Filter profile to Firwall Policy for detecting Malicious Web Traffic
Answer Text:
Answer Key:
Objective: 13
Section: Automation
Title: Execute Malicious BAT file
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Bob was unaware of the Malicious code installed on the Windows Server 2012
and one day, he inadvertently executes the code as follows:
The code will try to connect and retrieve content from malicious websites.
Let the program run in the background and you can move on to stop and think
question.
Stop and Think
How is a Compromised Host identified in the Security Fabric? (Select one that
apply)
Hint: 1 Points: 1
Hint Text:
Hint 1:
This is a service offered by FortiAnalyzer. FortiAnalyzer identifies compromised hosts by checking the
logs of each end user against its threat database. When a threat match is found, a threat score is given
to the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end
user and gives its verdict.
Answer: radio
Answer Text:
Correct Answer:
FortiAnalyzer analyzes the traffic logs, identifies the compromised host via the Indicator of
Compromise (IOC) license service and sends the verdict to the Root FortiGate in the security
Fabric.
Answer Key:
✘ 1. Root FortiGate in the Security Fabric identifies the compromised host itself
✔ 2. FortiAnalyzer analyzes the traffic logs, identifies the compromised host via
the Indicator of Compromise (IOC) license service and sends the verdict to the
Root FortiGate in the security Fabric.
✘ 3. FortiClient installed on the host machine identifies and sends the
Compromised host verdict to the Root FortiGate in the Security Fabric.
✘ 4. Device Detection enabled on the local interface identifies the
compromised host and send the information to the Root FortiGate.
Objective: 14
Section: Automation
Title: Verify Automation Results
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Automation defies the need of manual intervention by a network admin in order
to detect threats inside the network. That's what it has been designed to do at
the first place.
After 2 minutes have passed, we can go ahead and verify the action taken by
Automation Stitch configured on the FortiGate-Edge.
3. Please make sure that the time period is set to 5 minutes in the top right
corner.
4. Verify the Compromised host highlighted with an IP-ban circle surrounding it.
5. Move the mouse pointer over compromised host icon and verify host
information.
10. You will find that Bob's Windows Server 2012 IP address (10.10.3.150) has
been banned from the network automatically to restrict it from further
propagating the threat.
Answer: none
Answer Text:
Answer Key:
Objective: 15
Section:
Title: Completion
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Thank You
Answer: none
Answer Text:
Answer Key: