Scribd
Upload
15 views

Fortigate@nettrain

Uploaded by

elahi elahi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

Fortigate@nettrain

Uploaded by

elahi elahi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 131

What this Book ​is all about

This book is written for one purpose only:


To give you the ​skills​ and knowledge to administrate your
firewall in the ​fastest way​ with a solid theoretical foundation

It does not cover every topic, only those that are needed for
you to get around quickly and administrate your firewall in
different topologies and use cases

Every chapter includes hands-on practices

It is written for​ beginners and intermediate users

Telegram Channel @nettrain


The following book will help you to get around and feel cosy with your
FortiGate firewall for most everyday tasks:
Configuring Interfaces, firewall address objects, static routes, policies,
understand the different sessions that are created and terminated, and the Logs
that will help you to understand your network behaviour

Telegram Channel @nettrain


Table Of​ ​Contents

What this Book is all about 1


Table Of Contents 3
Basic Setup 5
Importing your VM 8
Physical appliance 13
Configuring an Admin Account 18
Super and Professional 19
Super Admin Account 23
Using MFA 26
Configuration Backup 31

Backup Restore and Revisions 34


Automatic Backup on LogOut 36
Backup to a TFTP server with an Automation Stitch 37
Configuring a new LAN interface 41
Configuring Interface with the Command Line 42
Configuring Interface Using the GUI 45
Configure Your LAN 46
DHCP service 47
MAC reservation access control 49
Captive Portal 54
VLAN Creation 57

Telegram Channel @nettrain


User Group 62
Creating VLAN in The CLI 69
Creating firewall Address Objects 72
Layer 3 Routing 79
Routing Decisions 80
Policy-Based Routes 83
Routing Cache 84
FIB 85
Static Route 87
Set Up Policies 91
Demystify Sessions 101
Tracking Sessions 102
Session Vocabulary 106
May Dirty 110
Session TTL 111
Log And Report 113
Enable Logs on policy 115
Understand Logs Through Commands 117
Download Your Logs 119
header part 120
The body part 120
Log settings 121
Delete Logs 122
Useful CLI Commands 123
Final Words 130

Telegram Channel @nettrain


Basic​ ​Setup

Telegram Channel @nettrain


Welcome to “Fortigate Admin Crash Course

Everything in this book is done on a virtual machine, which you can download at
https://support.fortinet.com/

Here you will create a free account, once you set up your account, navigate to
the ​Download​ section at the top bar and click on ​VM Images

Telegram Channel @nettrain


You will find different virtual machines images, choose your VM platform, I use
the ​VMware ESXi​ with my VMware fusion for Mac

Make sure that you download the correct image ( new deployment ) . the current
version, at the time this book was written, is ​6.4.4
The free version that you will download has some limitations, but it will do for
most of our practices

Telegram Channel @nettrain


Importing your​ VM

Importing the image to your VM platform and configuring your FortiGate depends
on your OS of choice, we will do it using My Macbook, but the flow is very similar
in windows

Go to ​File --- Import​ and choose your Fortigate VM that you have just
downloaded. The download is usually in ZIP, so you will have to extract it

Telegram Channel @nettrain


The setup should take a few minutes

Telegram Channel @nettrain


Once you finish the setup, you will see your VM summary. Press the Finish
button, and your VM will start to load and Booting the Kernel

When that finishes, you will be prompt to enter your credentials


Enter​ “admin”​ (lower case ) for the user name
And enter a password, you will be asked to re-enter it

Telegram Channel @nettrain


The following are Command-line commands, that you don’t need to understand,
for now, we will set up the interface that will connect us to the Management page
through the browser

The IP address that you have just configured is a static one, make sure that it is
in your home/office subnet , the one that you are connected to
The​ “set allowaccess”​ actually defines the protocols that you are allowed to
connect through as an admin

Telegram Channel @nettrain


Now open up your browser, using the address you have configured, and enter
the credentials you have set up at the beginning ( ​admin, password​ )

Telegram Channel @nettrain


Physical ​appliance

On a physical device, the port1 interface is usually configured with a DHCP


server ( more on the different services later on ) and an IP address of
192.168.1.99.

You will need to connect your computer to that port. you can also configure your
computer in the 192.168.1.0 subnet range ( configure it with a static IP address in
that range if it doesn’t get for some reason an IP address from port1 interface )
All of the things that you will learn in this book applies to both Virtual and
physical devices

Telegram Channel @nettrain


Let's Start

You can do a lot with your NGFW firewall, from Simple Rules, Web filtering,
Deep SSL inspection of the traffic, IPsec tunnels, custom IPS signatures, even
using it as a web application firewall. This book will focus on most used
administration topics, as well as firewall rules, routing and analyzing sessions

Telegram Channel @nettrain


We will look at the different capabilities, using screenshots from my home
FortiGate but let’s start with the basic things you do when you connect through
the administrative interface and that is:

● Set admin profile


● Set up new interfaces for your LAN
● Config firewall address objects, for users, machines, anything in your
LAN, that you may need to address
● Configure a default static route that will allow anyone to get out to the
internet through your WAN port
● Configure your first policy

We will configure the above using the Graphical user interface, but we will focus
on the ​Command Line​, which is the best way to get into the advanced stuff.

Telegram Channel @nettrain


Once you are connected to your FortiGate for the first time ( On one of the
available ports ), you are actually the Administrator of the machine. you have all
the ROOT privileges and you can do just about anything from assigning new
administrators or configuring your FortiGate firewall without any limitations

On your Left menu pane​ c​ lick​ system--- administrators​, choose ​admin and
edit ​ you can configure your admin profile ( password and name), 2-factor
authentication, trusted hosts ( IP addresses ) that you can connect from, and
more

Telegram Channel @nettrain


Telegram Channel @nettrain
Configuring an ​Admin Account

Telegram Channel @nettrain


You are the Admin of your Firewall, similar to ROOT in a Linux Machine
Configuring an admin profile is probably one of the first things that you will do
with your FortiGate.

You can set up your admin profile using the graphical user interface, and you will
probably do so once you get into your FortiGate. But this time, we'll do it using
the command line.

Looking at the different admin profiles, we can see that there are two main
profiles.

Super and ​Professional

The first profile is the ​super admin​, which actually has permissions to just about
anything, it has the​ Read/Write​ permissions to any place in the FortiGate
interface. The second profile is the ​professional admin​. which is usually a
limited admin.

Telegram Channel @nettrain


It has different​ Read/Write​ permissions, which we as Super admin can
determine.
So let's create a new professional admin profile. Let's log out and enter again as
the new professional admin and see the differences.

Our new administrator will be a local administrator


and the credentials will be stored in the FortiGate internal storage.
We are not using a remote server, we'll assign a very simple password just for
the demo purposes.

Telegram Channel @nettrain


On the right corner of your FortiGate interface, you will see the javascript CLI
icon (arrow followed by an underscore ), just click on it and the command line will
open up

The administrator we created has a ​Professional admin ​profile

Once configured, let's move over to the​ admin menu​ which is on the top right
side of the interface, and log out.

Telegram Channel @nettrain


And let's log in again as the new professional admin I am using the ​“ofershm”
username and the new password that we have just created.

Alright, it looks similar. But when we will move between the different menus. We
will see that as a ​professional admin​ ( which has only the read permissions )
we cannot do anything. We can only view the current configuration. We cannot
create or edit new interfaces or policies.

Telegram Channel @nettrain


Super Admin ​Account

​ uper admin
Now let’s create another​ admin​, this time a s

Again open up the ​CLI

Start by typing​ “config system admin”​ ( no need for the quotes )

The next thing to do is to name our admin, let's name it test admin. We do that
using the edit command
“edit test”

A new entry was added. the ​test​ admin.


Now, the second thing to do is to set its profile. ​Remember​, we have two main
profiles. The first one is the​ ​super admin​, ​which is the root admin , The second
admin is the ​professional admin​ which is also used usually for specific tasks to

Telegram Channel @nettrain


administrate another virtual domain in your FortiGate. So we'll use the ​super
admin​.

Continue by typing​ “ set accprofile super_admin”​, that will set us as a super


admin

Now let's set a password for that admin, let's set a simple password ( don't use
that in real environments ). And let's set a trusted host. ​a trusted host​ is a place
from where the admin will connect to our FortiGate. A good practice is to set up a
trusted host from within the subnets, or the IP address in our home in our
admin’s home, or from the work.

Alright, so now we have configured one trusted host, we can configure several
trusted hosts.

Now we can set up more configurations such as the remote authentication, do


you want to be authenticated using a remote server such as a radius or LDAP, or

Telegram Channel @nettrain


maybe do it locally on your FortiGate. This time, we will disable remote
authentication, we can also set up a two-factor authentication which we will do
next.

So this is the basic, the most basic admin profile configuration. Let's end it.
And let's see it using our graphical user interface.

The next thing is something that is quite interesting. Now, you're a privileged
admin. You're a​ super admin​, and you have professional admins that administer
different tasks in your FortiGate.

You can set up different things based on the fact that you're the privileged admin,
such as password expiry for those professional admins.

How do you do it?


Type ​“config system password policy”
We can see that the status is currently enabled
If it is disabled, just enable it.

Telegram Channel @nettrain


Using ​MFA
You can use ​2-factor authentication​. such as a token with your administrator
account.
You can use different Token solutions, but here we will look at one of the coolest
methods, which is using our email

Telegram Channel @nettrain


For the purpose of our demonstration, we will use my second admin account
which is “test”, it is a professional admin account. Now if I'll try to edit it using the
GUI, we will see that indeed, two-factor authentication, we only have two
possibilities. The first one is ​FortiToken​ and the second one is the ​FortiToken
Cloud.

Telegram Channel @nettrain


To get our third option, which is the email, we should open our command line and
type ​“config system admin”

Now you will add the profile that you wish to add the email two-factor
authentication In my case, it's​ “test”

You will set the two-factor email which enables you to have The third option on
the GUI itself and you can set the email to where to send the token itself.

Let's set it to o
[email protected]

“set two-factor email”


“set email-to [email protected]

Telegram Channel @nettrain


let's end it.

Now if we will refresh the page, we will see that we have a third option

Telegram Channel @nettrain


The next thing to do is to go to System Settings, set up your custom or default
email service. I've left that using the Fortinet SMTP server, but you can use your
own SMTP settings.

Telegram Channel @nettrain


Configuration ​Backup

Telegram Channel @nettrain


Backing up your configuration should become second nature. You can
backup your configuration to a TFTP server, to your local disk, or to a USB
drive
Let’s start by looking at our current configuration using the CLI

“Show full-configuration”

Telegram Channel @nettrain


This command will list all the configurations that are currently on your FortiGate,
including interfaces, policies, protocols, services, passwords, accounts …

To backup, your configuration, navigate to the top right page of your FortiGate
admin page, where and click on the ​admin ​menu

The menu will show up with several options ( logout, change password,
configuration )

Choose ​configuration​ and a new page will open up

Telegram Channel @nettrain


Here you will find the option, to backup your configuration to a local PC, or to a
USB disk and to either encrypt the configuration file with a password or to keep it
in plain Text

-------------------------------------------------------------------------------------------------------
NOTE: EVEN IF YOU DECIDED TO KEEP THE CONFIGURATION WITH NO
ENCRYPTION, YOUR PASSWORDS ( ADMIN PASSWORD, USER
PASSWORDS, WILL STILL BE HASHED, SO NO ONE CAN USE THEM )
--------------------------------------------------------------------------------------------------------

Backup Restore and ​Revisions


To restore a configuration, you will move back to the top right admin menu
On the menu choose ​Configuration ---​ ​Restore

You can restore the configuration backup, to other FortiGate machines, but
it depends
● If the back up wasn’t encrypted, you will need a ​similar FortiGate model
● If the backup was encrypted, you will need the ​password, similar model,
and similar firmware

Telegram Channel @nettrain


A good practice is to save revisions of your backup with descriptions for each, so
you will know what has changed
On the admin menu ​configurations --- revisions - save changes

Telegram Channel @nettrain


Automatic Backup on ​LogOut
One of the coolest features you can use is to automatically backup your
configuration on every log-out.

Open your CLI and write the following:

Now make changes to the configuration and logout

Telegram Channel @nettrain


Now navigate again to revisions, and you will see a new automatic backup on
logout message

Backup to a TFTP server with an ​Automation


Stitch
You can backup your configuration to a TFTP server, we will do it using a CLI
Script and an Automation Stitch

Automation is fundamental to every security appliance out there and FortiGate is


not different. you can use automation in different ways we will look at the most
frequent use which is backing up

The idea behind ​automation stitches​ is simple. it is very similar to IFTTT ( if


this then that ) you choose a ​trigger​ and you choose the ​action​ that will follow.

So let's create our new first stitch. Let's name it ​“Backup”​.

Our trigger will be ​“schedule”​, we will set a daily hour, in which a backup will
happen automatically, using a CLI Script

Telegram Channel @nettrain


So let’s move to ​security fabric--automation

● Create a ​new Automation Stitch


● Name it ​Backup
● And on triggers choose​ “schedule”

Telegram Channel @nettrain


Here we have a scheduled event that will back up our device daily at 12 o'clock
The next thing to do is to set up an action using a CLI script that will trigger a
backup.

Our CLI script will be ​"execute backup config tftp back.conf 10.0.7.22"
● Back.conf​ = the name of the file
● 10.0.7.22​ = the IP address of the TFTP server

Telegram Channel @nettrain


---------------------------------------------------------------------------------------------------------
The Idea Behind Automation Is That You Can Do A Bunch Of Things Using
The Automation Scripts That Will Help You To Offload Daily Tasks
------------------------------------------------------------------------------------------------------------

Telegram Channel @nettrain


Configuring a new ​LAN interface

Telegram Channel @nettrain


You can configure your LAN interface using the graphical user interface,
which is quite intuitive, or using the CLI as we did at the beginning, so here
is a reminder and let’s start from the basics

Configuring Interface with the​ Command Line


Start with ​“Config system interface”
Decide which port you want to configure the interface​ “Edit port5”
How will it get it’s IP address, static or by DHCP​ “Set mode static/DHCP”
---------------------------------------------------------------------------------------------------------
NOTE - Using The Tab Key, You Can Toggle Between Different Options As
In “DHCP” Vs “Static”, You Can Also Use Tab To Auto-complete
Commands
------------------------------------------------------------------------------------------------------------

The second thing to do is set the protocols allowed to access that interface. you
do that using the ​“set allowaccess”

Telegram Channel @nettrain


This is the basic setup, but you can add up more information, actually a lot more
information as seen in the screenshot

Telegram Channel @nettrain


Configuring interfaces is one of those things that determines and changes your
topology and network capabilities completely. If you want to see which
capabilities and support can be added, just type :
“config system interface”
“edit port (X)”
“show full-configuration​ “

Telegram Channel @nettrain


Configuring Interface ​Using the GUI

Let’s assume that:

● Our FortiGate management interface is at port 3 with the 10.0.5.1


address
● Our FortiGate is connected to an ISP router, through port 1, it will be
our WAN interface
● Our new LAN will be at ​port 10​, at the ​10.0.7.0​ subnet
● Anyone Who is connected to port 10, will be part of that LAN and will
get an IP address from its an internal DHCP server that we will set

Telegram Channel @nettrain


Configure Your ​LAN
Click on ​network--- interface---edit ​ (Choose any interface ,in our case it is port
10 ), you will enter the interface configuration page

Name your interface using the ​Alias​ field ( very important )


The second thing is the role, you have 4 options:
● LAN
● WAN
● DMZ
● Undefined
We will choose ​LAN

At the address field, choose your LAN gateway IP address, you can choose to
get one from a DHCP server, but will set it in a static ( manual ) way

From here, you can configure the ​administrative access​ that will allow you to
connect to that interface, either ​HTTPS, SSH​ …

Telegram Channel @nettrain


--------------------------------------------------------------------------------------------------------
Note — there are tons of things that you configure on your interface, but we
will focus on the most basic and fundamental
---------------------------------------------------------------------------------------------------------

Your LAN will lease IP addresses to all members of the subnet, so we will set a
DHCP server​, by enabling it

DHCP ​service

You can control the number of IP addresses, bare in mind, that you don’t
necessarily need to have 254 addresses available, if your LAN has only 15
employees, use 30 or 40 addresses

Telegram Channel @nettrain


If you enable the advanced options, you will have more options, as using a
DHCP relay​, that is if you don’t want to use your interface DHCP server, you can
also configure, additional ​DHCP options, known as scopes ​ ( as in the case,
where you will want to send your wireless clients the IP address of their a Wi-Fi
controller, change the Lease time or send an NTP server address )

Telegram Channel @nettrain


DHCP configuration​ also includes the ability to assign or reserve ​IP​ addresses
to specific MAC address, or to block ​MAC​ addresses from getting IP addresses

MAC reservation ​access control


If you already have clients that are connected to our interface, you can choose
to Add them from the DHCP client list , to the list of MAC addresses that you
wish to assign different rules on them .

Telegram Channel @nettrain


For ​unknown MAC addresses​, we can decide either to assign IP or to block
them from getting any IP address from our DHCP server.

In IP address assignment rule create​ New


And In the ​action​ type, you can choose between
● Assign IP​- Bind a specific IP to a MAC address

Telegram Channel @nettrain


● Block​-The MAC address will not get any IP Address

Telegram Channel @nettrain


● Reserve IP​ - Permits the DHCP to assign an IP address from its pool. The
receiving device will always get the same address

Telegram Channel @nettrain


Following our Basic ​DHCP server​ Configuration, we can enable several more
features, one of them is​ device detection​ ( very useful when you have different
types of devices and operating systems in your network ) and enable a​ captive
portal​ authentication for the employees or a specific group of employees ( good
for outsourcing employees )

Telegram Channel @nettrain


Captive ​Portal

Telegram Channel @nettrain


Captive Portals are a common security procedure, used consistently on our
networks for guests or even when outsource employees work within your
internal LAN, connecting through ethernet wall sockets.

One way to do so is to enforce it by creating a​ VLAN​ ( virtual LAN ) on your


subnet interface, apply a captive portal on that interface, and create an outsource
employed group

In our current topology, We will not use LDAP For our outsource group ( although
it better to do so and more reasonable, but let’s make things simpler ) we will use
our local FortiGate firewall database

Our Topology
Quite a simple Topology, SMB switch connected to our Marketing LAN, and a
FortiGate that is connected to the ISP router

Telegram Channel @nettrain


On your FortiGate admin page, choose​ network —interfaces

Telegram Channel @nettrain


The opened screen will list all Interfaces on your Fortigate firewall, we will choose
to apply our captive portal to our ​Marketing LAN​, but you can choose to do it, on
any LAN you wish

Our​ Marketing LAN​ has Connected to​ Port 2​ and the subnet is ​10.0.5.0/24

Employees on that LAN are connected through the switch which is connected To
the Fortigate Firewall, Currently with No VLAN”s

VLAN ​Creation
Let’s create the​ VLAN​ that will be used to connect our outsource employees to
the network

VLANs are one of the most fundamental concepts in networking. So you


have your LAN, this is your broadcast domain. Now you're limited with
physical interfaces and you want to create more broadcast domains for
other appliances, other users, how do you do it? Using VLANs?

You can create VLANs using the GUI, the graphical user interface by moving to
create a new interface, and VLAN.

So move to the create a new interface, on our network interface page, and
Choose an interface

Telegram Channel @nettrain


The New Page that will be opened will allow you to create new interfaces (
Software switch, Loopback, SSID​…) we will focus on our VLAN Interface,
which will allow us to create another ​broadcast domain​ running on our physical
port 2

Telegram Channel @nettrain


Now, Let’s configure our new VLAN
● Name:​ outsource
● Alias:​ let’s give it the same number as our Vlan ID which will be 100
● Type:​ we will choose Vlan out of all choices
● Interface: ​here we choose the physical interface that will occupy our
VLAN, in our case it is Marketing port 2
● VLAN ID:​ that’s the 802.1q tagging of our VLAN as seen by the switch
● Role:​ we will choose LAN, as it will be used as a local area network for our
outsource employees

Telegram Channel @nettrain


------------------------------------------------------------------------------------------------------------
REMEMBER our VLAN, is another Local area network of itself
------------------------------------------------------------------------------------------------------------

Now let’s assign a new IP address at the 10.0.7.0 subnet, a DHCP service, so
our employees will lease IP’s and administrative access for the admin using
HTTPS and SSH

Telegram Channel @nettrain


Let’s click​ OK​ for now, we will get back to our VLAN interface again.
On the interface page, you will see the ​+ sign​ next to our marketing interface

Telegram Channel @nettrain


Click on the ​+ sign​, and you will see our new outsource ​VLAN 100​ at the

10.0.7.1

User ​Group
Now let’s create a group for our outsource employees, as said, we will not use
LDAP or any other remote authentication servers, we will use our local firewall
database

Move over to ​User & Device — User Definition

Here you will create your outsource employees, let's create two employees
Click New

Telegram Channel @nettrain


Coose Local User and click ​Next

Choose a ​Username and Password​, that will be used when your employees,
will authenticate, through the captive portal

Click ​Next​, you will have the option to add an email and two-factor authentication

using tokens, lets just add an ​email

Telegram Channel @nettrain


Click ​submit​ on the next page, we will assign this employee to a dedicated group
soon

Telegram Channel @nettrain


Create as many users as you need, in the end, you will see, them on the user’s
page

Telegram Channel @nettrain


Now let’s assign the new Users to a dedicated group, this group will be used in

Our captive portal. click​ User Group ---- create new

Name your group and click on the ​Members + sign​, here you will add the new
users that you created

Click OK​, The new group was created

Telegram Channel @nettrain


Now let’s get back to our interface page, choose the ​VLAN​, We have created,
and click ​edit

Scroll down to the network part, where you will see the ​Security mode​ button,

and ​enable ​it

Telegram Channel @nettrain


Choose ​Authentication portal — Local ​( if you choose External, it will ask you
to refer to an external server
User access — choose restricted to groups

Now let's choose our user group, click on the​ + sign​ next to ​User groups​ and
choose the group, that you have just created

Telegram Channel @nettrain


You can also exempt sources, that you do not want to be directed to the captive
portal page. you will need to create a ​firewall address object​, as shown in the
next chapter

Press OK. that’s it, you have created your first captive portal

You will need to make sure, that your switch supports Vlan’s, and to assign the
relevant ​VLAN100​ on that switch also, besides that, you’re done, your FortiGate
port2, has become a Trunk port, that can except ​native VLAN traffic​, and your
outsource VLAN 100 traffic

Creating VLAN in ​The CLI

We can also create Vlan’s Using the CLI, so let’s do that to our marketing
interface at the 10.0.5.0/24 subnet, assuming that we need another broadcast
domain for outsource employees

Our VLAN ID will be 100, and it will be associated with port 2, which is our
Marketing Port and it’s IP address will be 10.0.2.1

Telegram Channel @nettrain


And now if we move back to our​ interfaces page​ , we can see that we have a
new VLAN interface

Telegram Channel @nettrain


Our new VLAN behaves just like any other local area network, you can keep on
configuring DHCP services, DNS services, just about anything on that VLAN the
same way as you were doing on any other interface.

Telegram Channel @nettrain


Creating firewall ​Address Objects

Telegram Channel @nettrain


Your firewall rules will require you to recognize specific devices in your
LAN, using IP address, Geographic location ( in the case that we will want
to block geo- address as destinations ) and more.

So if for example, we have in our LAN a device, such as a ​NAS ​(


network-attached storage ) that we will want to open specific rules, only for him, it
would be much more convenient to use an ​Address Object

To configure our address object in our LAN, we will use the command line,
remember that:
● Our NAS belongs to the 10.0.7.0/24 subnet
● It is connected through port 10
● It has the 10.0.7.11 address

To get into the command line, click again on the ​CLI symbol ​at the top right side
of the page which will open the command line

Telegram Channel @nettrain


From here we will type the following

Telegram Channel @nettrain


● We have created a new object using the ​“ config firewall address “
command
● Named it “NAS” with “edit NAS”
● Associate it with the relevant interface ( port 10 ) - ​“set
associated-interface port10”
● And assigned an IP address - ​“set subnet 10.0.7.11 255.255.255.255”

Now we can use our address object in different policy scenarios to block or allow
this specific object.

We can also create address objects using the GUI. just navigate to ​Policy &
Objects --- Addresses

Telegram Channel @nettrain


But this time let’s configure another type of address object, the ​GEO location
object. fill in the name, type of object, country, and interface

Click ​OK​, you can see the address object in the list of addresses

Telegram Channel @nettrain


Summary

We started with an administrator set up, interface configuration with DHCP


service running that will lease IP addresses to your clients, we have also
configured a basic captive portal for a user group and finally, we have configured
a firewall address object for a specific device on our subnet

We needed to create a firewall address object so that we could, later on, point
specifically to that device on our subnet

Now it is time to let traffic from our interface get out to the internet with the
static route and our first policy

Telegram Channel @nettrain


Telegram Channel @nettrain
Layer 3 ​Routing

Telegram Channel @nettrain


Routing is a destination decision making in other words, it is the thing that
controls how packets are sent along the path from source to destination.
Routing is an OSI layer 3 decision, and network devices that belong to that
class are known as Routers. Your FortiGate firewall is not only a
next-generation firewall, but it is also a router

Network devices that perform routing, contain a ​Routing Table​, which helps
them to specify the next hop for a packet, using rules. your FortiGate does
routing lookups every time it needs to route packets

Routing ​Decisions

FortiGate is a session aware firewall. When it receives a packet from a client


towards any destination, it looks in the routing table, does a route lookup, and
saves the routing information in this session table.

When it receives the ​second packet​, the one that came from the destination
towards the client, it saves the route lookup, it does another route lookup, it
saves it into the session table.

Your FortiGate actually relies on three routing databases to forward the


packets:

● The first one is the policy-based route


● The second one is the routing cache

Telegram Channel @nettrain


● The third one is the FIB, the ​Forwarding Information Base​. So let's take
a look and see what is in each database.

When you check your routing table using the:

“get router info routing-table all”

You will see the connected routes, you see the static routes, dynamic routes,
such as OSPF or RIP, any route that is an active route

An active route​ is the best route to specific destinations on your FortiGate. If


you use the same command with the database

Telegram Channel @nettrain


“get router info routing-table database”

You see every route that there is in the routing table, including routes that are not
Active, as the route to 10.0.7.13.

One thing that you're not seeing on the routing table is the ​Policy-Based routes​.
If you move to network policy routes, you can actually create routes that are
much more granular in terms of the protocol that is being used, the source
address that is being used, and so on.

Telegram Channel @nettrain


Policy-Based ​Routes

Policy-based Routes can only be seen using the CLI, by typing:

“diag firewall proute list”

Telegram Channel @nettrain


Here you can see that I have a policy route with​ Netflix​ as the destination

The ​Policy-Based Routes​ are actually the first place that your FortiGate checks
to see if there's a route towards the destination that is in the policy-based route. If
it doesn't find a match, the second place that it goes to is the ​routing cache​.

Routing ​Cache

The ​Routing Cache​ is actually a mechanism that deals with performance. you
want to route as fast as possible. And your FortiGate has a dedicated memory to
cache entries, that is, the routing cash, how can you see the routing cache?

“diag ip rtcache list”

Telegram Channel @nettrain


And again, here you can see all the latest routes are saved on the ​cache itself​.
It doesn't see all the routes that are in the routing table, only the last entries that
are frequently used.

FIB

The third-place that your FortiGate checks for routes, if it doesn't actually find
anything in the routing cache, or in the policy-based routes is the FIB. The
Forwarding Information Base​ holds the active routes, not every route, but only

Telegram Channel @nettrain


the ​Active Routes​. It gets them from the routing table. It also holds routes that
are routes that are dedicated to SSL VPN or IPsec. How do you get to see the
fib?

“get router info kernel”

And that's the ​FIB​, the third database that your FortiGate checks before it sends
the packet towards its destination.

Telegram Channel @nettrain


Static ​Route

A static route is Probably the most used route in a FortiGate firewall, It is


manually configured and network experts will always tell you, that you can do just
about any route using the static route, although you have dynamic routes, (
OSPF…) which are much more sophisticated

So in our topology, we have the LAN which is at the ​10.0.7.0/24​ subnet, we also
have our WAN interface which is connected to our router at the ​10.0.3.55

Telegram Channel @nettrain


We need to tell our FortiGate...

“ If you see a packet that is coming from the 10.0.7.0 subnet,


send it through our WAN interface ( the 10.0.3.55) towards
our router “

Our static route will be the​ default route

A default Route is the same route that you are getting whenever you connect in
your home to your ISP router. which means that any packet that does not have a
specific route in your routing table, will be forwarded to the ​default route​ ( your
router ISP ) as the default Hop

The default route is written in that way 0.0.0.0./0.0.0.0, so let’s


configure that in our FortiGate

Telegram Channel @nettrain


Navigate to​ Network — Static Routes

And in static route create a ​new static route​, the following screen will appear

Telegram Channel @nettrain


Static routes​ ( as dynamic routes ) have different attributes that determine if
they are ​Active or Not​, Preferred more or Less. static route attributes are
Distance and Priority ​( available in the advanced options ), we will not get to
this, in this book, so keep the administrative distance to 10, that is the default
setting

● In destination, we will keep the 0.0.0.0/0.0.0.0 which is the default


route
● In the interface, we will choose the interface connected to our WAN,
which is port 1
● And in gateway address, we will enter, our router GW IP which is
connected to our FortiGate, in my case, it is 10.0.3.1

So, we have a ​default route​ that sends packets to our​ WAN i​ nterface, towards
our ISP router.

Telegram Channel @nettrain


Set Up ​Policies

Telegram Channel @nettrain


Alright, we have our interface all set up, our firewall address object and now we
also have a static route, that will let packet flow towards the ISP router on their
way to the internet

What is missing? A Policy Of Course

You should think of policy as​ “Traffic matching”​, that is, you define a rule that
will allow or deny traffic, assuming that it finds a match, once it finds a match (
that is your policy ), that are a set of things, it can do with that traffic, allow or
deny it, save logs, do a network address translation, apply a security policy and
more

There are different types of policies in your FortiGate, we will look at the

The Most popular ones are IPV4 policies


firewall policies are basically the bread and butter of every firewall.

Telegram Channel @nettrain


It doesn't really matter if your firewall is a next-generation firewall. Whenever you
head out to the Internet, and you're using a firewall, then you're obliged to firewall
rules. What are firewall policies? And how are they made?.

A firewall policy​ is nothing more than a set of criteria that your traffic needs to
match. Whenever an IP session happens in your network, a set of rules are
being matched against that traffic. If your firewall doesn't find a match at the first
rule, then it goes to the next rule, rules are handled from top to bottom. Now let's
look at how our policy rule is being configured and what objects are used to
create that match.

In every policy, there's always the implicit deny rule that sits beneath every other
rule. That is if your firewall doesn't find any match in the traffic, then the traffic
goes to the implicit deny rule, and it is being dropped.

Telegram Channel @nettrain


So when we start to configure our firewall rule, we have, an implicit deny rule at
the bottom. And from there, we start to configure our different criteria that will be
matched against your traffic.

We start with the name of the rule itself.

Telegram Channel @nettrain


As for naming conventions, don't use too many characters. Don't use spaces
between words, try to use underscores.

The second match is the incoming interface​. What is the incoming interface?
Well, for example, that could be the interface that your local area network is
connected to. Wherever the traffic comes from. it could also be your WAN
interface

The third match is the outgoing interface.

Telegram Channel @nettrain


it can be another segment of your enterprise network, it can be the DMZ or the
WAN . the interface that the traffic is heading

The incoming interface is known as the ​Ingress interface​.


The outgoing interface is known as the ​Egress interface​.

From there we move to the source


Who is the source that generates the traffic? Well, that can be your clients. That
can be just about any source that has an IP address, or you can use firewall
address objects as​ specific IP addresses​ within your local area network.
It can also be ​a user or user group ​that is saved on your firewall, internal
database, or a remote authentication server such as LDAP or a RADIUS server.

Another match is the destination


What is the destination that your traffic is heading towards? It can be any
destination, an IP address out there, either a specific IP that you can configure or
it can be a domain or maybe an internet service as an Amazon service. So be
sure to Be granular, don't just use ​any or all​. Be specific.

If you're configuring a full access policy that will allow anyone to get out to the
internet, then it will probably be “ALL” in the destination field
if you're configuring a specific destination, then be sure to configure them ahead
and use them in your policy.

The next match is scheduling


Do you want your policy to work out 24 hours, 7 days? Or do you want it to work
on specific hours, specific days, recurring days?
you will probably have cases where you will be asked to open a firewall rule for
specific appliances in your local area network. It could be a backup device, it

Telegram Channel @nettrain


could be network-attached storage, be sure to know what times those appliances
need that firewall rule.

The next match is service


Services are the protocols that are being used in your firewall rule? Are you using
only ​HTTP, HTTPS, and DNS that is Port 80, Port 443, and Port 53?​ Or are
you allowing your employees to get out to just about anywhere using any
protocol, including ​FTP, SSH​, and so on? So again, be careful with the service
usage

The last match is action.


Are you denying it? Or are you allowing traffic based on that match?

This was actually the first part of your policy or rule creation.
Once you have a match, your FortiGate will move to your security profiles, which
is going through antivirus application control, IPS, and so on.

The other thing that you will have to take care of is are you using network
address translation? Are you logging all sessions or only security events?

Alright, so let’s configure a policy

Navigate to ​Policies and Objects​ ( you probably guessed it :-), on your left
Pane
Create ​a new Policy​, and you will see the following screen

Telegram Channel @nettrain


We have said that a policy checks for traffic matching
so let's fill in the missing details

● Name​ your Policy


● The​ incoming interface​ is our LAN Subnet ( which is at port 10 )
● The ​outgoing interface​ is our WAN interface ( port 1 )
● Source​ — currently choose anyone, but then again, we can also choose,
specific devices based on the firewall address objects as My Mac

Telegram Channel @nettrain


● Destination​ — again choose all, but you can also limit the destinations to
be more specific as well known internet services

Telegram Channel @nettrain


● Schedule​ — you can set your policy to work 24 hours or on different days,
in specific hours, as in the case where you need your specific device to
backup your hosts
● Service​ — which protocol ? will you allow only HTTPS and DNS or any
protocol out there, be granular, so your policies, will not become your back
door
● And the last thing is the​ ACTION​, which will allow or deny the traffic based
on the different matches

Telegram Channel @nettrain


Your policy should look something like that

You will see that underneath the matching fields, you can set more settings such
as the inspection type (​ Flow or Proxy​ ), NAT, Security Profiles, Logging, and
more

Telegram Channel @nettrain


Demystify ​Sessions

Telegram Channel @nettrain


Your Fortigate is a session aware firewall, it looks at the first packet that is
sent by the source, saves it’s routing information, then waits for the
responding packet, and only then it creates a session in the session table.
Each session has time to live interval, route information, different states,
and more

Tracking ​Sessions
The following is a very typical scenario, you have a host, which is part of your
local area network. And you want to track its sessions, the places that your host
connects to. Now, you can do it in multiple ways you can look at the log report,
you can look at the FortiView. But let's do it using the CLI coming up.

So here's the following scenario, you have a device that is part of the 10.0.5.0
subnet. Its IP address is 10.0.5.7 And we want to track its sessions. Now, as I
said, we can do it in different ways
So the first command that you can use is the ​“get sys session list”

Telegram Channel @nettrain


And from here you can see all the different hosts in your networks and their
different sessions. Now, if you want to be more granular, you can just use the
grep command.

“Get system session list | grep 10.0.5.7”

And here we can see different sessions that are happening, one of them as you
can see is talking through UDP towards google’s DNS server.

Now the other way to do it is using the​ “diag sys session list”

Telegram Channel @nettrain


As you can see, we have dozens of sessions that are happening just now.
So we will have to use a filter.
Our filter will be the ​source address​ which is the 10.0.5.7
“Diag sys session filter src 10.0.5.7”

Telegram Channel @nettrain


“Diag sys session list “

We can filter protocols, destinations, and much more, play around with that,
filtering is a powerful tool

And there we get sessions that are used only by our device

Telegram Channel @nettrain


You can use the grep command again, to filter and be more granular on the
different items that you seek such as the type of protocol. Now it's using protocol
6, which is TCP but there are many details on the session output that needs to
be clarified

Session ​Vocabulary
When you look at a session output, the first reaction “WOW”, what’s that, so let’s
try to analyze the most important ones, and doing so, just look at your session
output

You can view your sessions, in different places, one of them is the logs, as long
as you enable logs for all sessions on the policy page

When you move to​ Log and report --- Forward Traffic​, you can see all the
traffic that moves between your FortiGate interfaces

Telegram Channel @nettrain


Each line in the logs represents a session

Click on any details and on the top right side, click on​ “details”
You will see the matching session ID

You can get to policy matching logs by ​right-clicking​ on the policy

Telegram Channel @nettrain


Let’s move to our CLI and demystify the session output, we will also filter
sessions per policy

Now, we will filter the sessions per policy

“Diag sys session filter policy 1”


“Diag sys session list “

We can see in the button the total number of sessions related to this policy

Telegram Channel @nettrain


In the session state, we see that it is equal to log, which means, that the session
is being logged

Session proto
It is the protocol used, it has a numbering index where:
● 6=TCP
● 17=UDP
● 1=ICMP

You can find the full list using google, but these are probably the main ones that
you will meet

Session State
Following the protocol that is used, comes the protocol state. Again there is a
numbering index, but before that, think of a regular 3 way TCP handshake
A client sends a SYN packet, The server responds with a SYN/ACK the client
returns an ACK. When it wants to finish the connection, it sends a FIN packet,
and so on

Telegram Channel @nettrain


Following the state, you will find the expiration time, the duration of that session,
these are self-explanatory
If you are using a traffic shaping policy, then you will notice that on the origin
shaper fields

May ​Dirty
The next interesting part is the state where it shows up = may dirty. there could
be 2 states, either ​dirty​ or ​may dirty

When it is dirty, the session needs to be validated again.


When your FortiGate receives the first packet, it evaluates the packet according
to the policy. the evaluation is usually done on the first packet only
But if throughout the session, the firewall policy changes, routing changes, or
network configuration is done, it is re-evaluated again

Telegram Channel @nettrain


If the packet follows the policies, then it is labeled ​“may dirty”
When a policy changes or any other condition, then the state for the following
packets changes to ​“dirty “
Your FortiGate checks the packets again, and only then- it changes the state to
may dirty again

Session​ TTL
When a user doesn't perform any action throughout a session, this session
will time out.
Each session and its protocol has a different interval on your FortiGate firewall.
A TCP session by default will timeout after 3600 seconds. But there are cases
such as in the medical world where you need your services, your sessions, not to
time out. How do you do it using a policy? And how do you do with using a
custom service?

Before we configure the session timeout, we will configure it on port 443.


Let's take a look at our Ubuntu device. Let's just resume it and let's refresh the
page. We're at YouTube. Alright, let's go back and let's just use the “diag sys
session list”

We can take a look at sessions that are TCP sessions, we can see that we have
an expiration time of 3600 seconds. Now let's configure a custom service
Using the​ “config firewall service custom”

Telegram Channel @nettrain


Let's set the TCP port range to be 443 only 443.
And let's set the session Time To Live to never.
Now let's end it
And you can also see the new service under the Services tab and categorized
services that we have just created.

Telegram Channel @nettrain


Log And ​Report

Telegram Channel @nettrain


Logs are fundamental to your FortiGate Administration. Let's look at the
log structure and understand how that works.

You can look at the different logs using the graphical user interface in the
log and report menu.

Telegram Channel @nettrain


From there, you will see the different logs as forward traffic logs which track,
traffic that flows between your FortiGate interfaces

Local traffic, which is internal traffic, sniffer traffic, if you're using packet capture,
and from there, you can see the different security profile logs.
To see logs either security logs or every session log, you have to enable logs in
your policy.

Enable Logs ​on policy


let's move to my policy and scroll down where I can enable log allowed traffic to
either all sessions or security events.

Telegram Channel @nettrain


I've enabled it on all sessions. So let's just move to my Ubuntu device. Let's
create let's generate some traffic, let's open up YouTube

let's move back to my​ Log and Report ​page.

Telegram Channel @nettrain


Understand Logs ​Through Commands
Our traffic actually flows through the policy that we have created. So we can look
at the forward traffic we have all the details, we can look at the source IP at the
destination itself, we can also look at the application name.

And if we click one of the logs, we can see that we have much more details,
either in terms of the action that the policy took or the application that was used,
we can also see the security level that was used.
Now, you do not have to use just about any ​security level ​out there. So let's
move to our command line

“config Log disk filter”

Telegram Channel @nettrain


if you use the ​“show full config”​ , you will see that you have different severity
levels :
1. Emergency
2. Alert
3. Critical
4. Error
5. Warning
6. Notification
7. Information
8. debug
Let's set the severity to ​critical​ so that logs that will be saved are only those in
critical severity level and anything that is above it.

Telegram Channel @nettrain


Download Your ​Logs

Getting back to our GUI logs. if we will click on the ​download​ logs ( the second
button from the left )

We can actually open the different logs once downloaded, let's just pick up one
log event

Telegram Channel @nettrain


Let's look at the structure of the log. The log is actually comprised of two parts:

header ​part
The header part is similar in all logs, the body part is different

In the header, we can see the date, the log ID, the type of traffic, the subtype,
which is forward traffic, the severity level, which is only “notice”, and the Vdom
that we are working on which currently is the root Vdom

The body ​part


In the body, we will see the event time we will see the source IP that triggers the
traffic, the source port the interface that it is connected, the destination IP, the
policy that we have used, and the type of protocol number ( 17 is UDP )

We will also see the action that was done. For example, if you see ​“client rst”​,
it means that the server sent a TCP reset message to the client.

Telegram Channel @nettrain


Log ​settings
Another good command that you will probably use is the

“config log disk setting”

Now here you can set different settings that are related to your logs. One of them
is the maximum log age, which currently by default is seven days and you can
change it. It all depends on your hard disk and its storage.
Play around with the different settings, understand your logs capabilities, it’s
crucial to your everyday administration

Telegram Channel @nettrain


Delete ​Logs
The last command is the
“execute log delete-all “

You can delete all of your logs. Once done we don't have any more logs. Now
use it carefully.
----------------------------------------------------------------------------------------------------------
Don't just delete your logs; they are crucial to your organization’s
Security and Stability.
-----------------------------------------------------------------------------------------------------------

Telegram Channel @nettrain


Useful CLI ​Commands

Telegram Channel @nettrain


The following commands are helpful to monitor and diagnose your fortigate
firewall

“Get system status”


Shows your fortigate set up, including firmware version, security profile database
dates, license validity, Vdom used, HA participation, and more

“Diag sys top”


Shows the different processes that are running on your Fortigate. Useful to
monitor resource-intensive processes as the IPS

Telegram Channel @nettrain


“diag sniffer packet <interface> <'filter'> <verbose> <count> a”
This command will capture packets on your fortigate , you can set up the
interface, protocol, source, destination, verbosity level and more

Telegram Channel @nettrain


“get sys seesion list”
We have used this command, it will show up the different sessions that are
running on your fortigate, including the NAT ( network address translation used )

“Diag ip address list”


Shows up the IP addresses that are used on different interfaces

Telegram Channel @nettrain


“Diag user device list”
Shows up the users and devices used on your network

“execute ping-options”
Troubleshoot connectivity using ICMP packets. This command has different
options as count, interval, source, and more

Telegram Channel @nettrain


“Show system interface port(x)”
Shows the current configuration on different interfaces

“Get system arp”


Shows the ARP table on your FortiGate

Telegram Channel @nettrain


“Diag hardware deviceinfo nic port(X)”
Shows the MAC address and the state of interfaces ( speed, MTU size…)

Telegram Channel @nettrain


Final ​Words
You have just Finished “Fortigate Admin Crash Course “ Part 1
I hope that you enjoyed the journey. My aim was to give you a head start on the
task of administering one of the best next-generation firewalls in the market.

But this was just the beginning. Your Fortigate firewall has so many areas that
we have not touched upon as Vdom’s, Proxies, security profiles, inspection
modes, clustering, and much more
“Fortigate Security crash course”​ is in the work and soon be published

Sincerely yours
Ofer Shmueli

Telegram Channel @nettrain

You might also like