Scribd
Upload
152 views66 pages

Lab Guide

Uploaded by

bini pia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
152 views66 pages

Lab Guide

Uploaded by

bini pia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 66

Whats New in FortiOS

Lab Guide
FFT-FortiOS r5-1716037163
Table of contents
1. Introduction .................................................................................................................................. 3
1.1. Fast Track Overview .......................................................................................................... 4
1.2. Agenda ................................................................................................................................ 5
1.3. Topology .............................................................................................................................. 7
2. Fortinet Security Fabric .............................................................................................................. 8
2.1. Fabric Management Pane ................................................................................................. 9
2.2. MAC Address Threat Feed .............................................................................................. 11
3. General GUI Changes ................................................................................................................. 14
3.1. FortiView ........................................................................................................................... 15
3.2. Dashboards ....................................................................................................................... 19
3.3. Packet Capture ................................................................................................................. 21
3.4. Debug Flow ....................................................................................................................... 24
4. SD-WAN ....................................................................................................................................... 26
4.1. SD-WAN Overlay .............................................................................................................. 27
4.2. Provision Template .......................................................................................................... 31
4.3. Review VPN Connection Status ..................................................................................... 33
5. ZTNA ............................................................................................................................................. 34
5.1. Endpoint Management Server ....................................................................................... 35
5.2. Logical AND Tag Matching Policy .................................................................................. 38
5.3. Test Connection (Windows Firewall OFF) .................................................................... 40
5.4. Test Connection (Windows Firewall ON) ...................................................................... 41
6. Policy & Objects ......................................................................................................................... 43
6.1. New Policy Layout ........................................................................................................... 44
6.2. Workflow Management ................................................................................................... 46
7. Secure Access Switching .......................................................................................................... 48
7.1. FortiSwitch Management ............................................................................................... 49
8. Operational Technology ............................................................................................................ 52
8.1. FortiGate OT View ........................................................................................................... 53
9. Networking .................................................................................................................................. 56
9.1. DHCP Shared Subnet ....................................................................................................... 57
9.2. Route Tag Address Objects ............................................................................................ 62
10. Conclusion ................................................................................................................................. 65
10.1. Continued Education ..................................................................................................... 66

Whats New in FortiOS Lab Guide


Page 2 of 66 Fortinet Training Institute
1. Introduction

Fast Track Workshop: What’s New in FortiOS

To address today’s risks and deliver the industry’s most comprehensive cybersecurity platform that enables digital
innovation, Fortinet continues to enhance the Fortinet Security Fabric with the latest version of its operating system, FortiOS.

FortiOS ties all the Security Fabric’s security and networking components together to ensure seamless integration. This
enables the convergence of networking and security functions to deliver a consistent user experience and resilient security
posture across all manner of environments including on-premises, cloud, hybrid, and converging IT/OT/IoT infrastructure.

While this workshop focuses on new features introduced during the two latest major versions of FortiOS, all VMs have been
installed using the latest major version.

Some features may have changed slightly from the previous version to the most current version.

Tasks

The blue button at the top of this page is the primary action button. When there is an action that can be completed on the
page, this button will change accordingly.

When ready, click the blue Continue button in the menu at the top of the page to get started.

Whats New in FortiOS Lab Guide


Page 3 of 66 Fortinet Training Institute
1.1. Fast Track Overview

The Fast Track program is a collection of free, instructor-led, hands-on workshops that introduce Fortinet solutions for
securing your digital infrastructure.

These workshops are only an introduction to what Fortinet security solutions can do for your organization.

For more in-depth training, we encourage you to investigate our full portfolio of NSE training courses at
https://training.fortinet.com.

Whats New in FortiOS Lab Guide


Page 4 of 66 Fortinet Training Institute
1.2. Agenda

Background

Fast Track workshops often include more hands-on activities than time permits, and not every exercise suits every
opportunity. To allow for customization, some exercises are optional, giving instructors the flexibility to exclude or rearrange
the workshop flow as needed. Average execution times are provided as an aid in planning and to help instructors ensure
their Fast Track session will stay within the available timeframe.

Please take advice from your instructor if you have any questions.

Agenda

In the case of this workshop, the exercises are organized like this:

Section Topic Time Prerequisite


2.0 Fortinet Security 20 1.0
Fabric minutes
2a: Fabric Management Pane -
2b: MAC Address Threat Feed -
3.0 General GUI 15 2.0
Changes minutes
3a: Dashboard and FortiView -
3b: Packet Capture and Debug Flow -
4.0 SD-WAN 15 3.0
minutes
4a: SD-WAN Overlay -
4b: Provision Template -
5.0 Zero Trust Network Access 15 4.0
minutes
5a: Endpoint Management Server -
5b: Logical AND Tag Matching Policy -
5c: Test Connection (Firewall OFF) -
5d: Test Connection (Firewall ON) -
6.0 Policy & Objects 15 5.0
minutes
6a: New Policy Layout -
6b: Workflow Management -
7.0 Secure Access Switching 10 6.0
minutes
7a: FortiSwitch Management -
8.0 Operational Technology 10 7.0
minutes
8a: FortiGate OT View -
9.0 Networking 20 8.0
minutes
9a: DHCP Shared Subnet -
9b: Route Tag Address Objects

Time to complete: 2 hours

Whats New in FortiOS Lab Guide


Page 5 of 66 Fortinet Training Institute
Tasks

Click Continue to move to the next page.

Whats New in FortiOS Lab Guide


Page 6 of 66 Fortinet Training Institute
1.3. Topology

Background

This diagram is a useful reference tool while working on the lab exercises.

The following topology diagram shows the starting layout for this workshop.

Topology

Unless otherwise indicated all usernames/passwords for the various web consoles are:

Username: admin Password: Fortinet1!

Tasks

Click Continue to move to the next page.

This will be the last time we specifically state to click on the Continue button, from now on it is assumed the Continue
button will be used to move forward in the lab.

Whats New in FortiOS Lab Guide


Page 7 of 66 Fortinet Training Institute
2. Fortinet Security Fabric
Introduction

The Fortinet Security Fabric platform is built on a cybersecurity MESH architecture – similar to what Gartner announced
recently - “an architectural approach to creating a collaborative ecosystem of security tools operating beyond the traditional
perimeter.”

The Security Fabric provides a suite of best-of-breed solutions, organically built from the ground up to provide the best
integration in the industry.

The Security Fabric enables organizations to achieve operational efficiencies through consistent policies and automation,
deep visibility across all their full deployments whether on the network or in the cloud, and the ability to interoperate with a
broad ecosystem of networking and security solutions.

Time to Complete: 20 minutes

Whats New in FortiOS Lab Guide


Page 8 of 66 Fortinet Training Institute
2.1. Fabric Management Pane

Background

The Firmware & Registration section allows you to authorize new Fabric devices and manage the firmware running on each
FortiGate, FortiAP, and FortiSwitch in the Security Fabric.

In this exercise, you will configure a Security Fabric connector on the downstream device FGT-ISFW.
You then connect to the root FortiGate, FGT-EDGE, and use the Fabric Management page to authorize
the device FGT-ISFW as part of the Security Fabric. You will also make sure all Fabric devices are
running current firmware versions.

Tasks

Add FGT-ISFW to the Security Fabric

1. From the Lab Activity: FortiOS tab, log into the FGT-ISFW under the Core group via the HTTPS option.

Note: Unless otherwise indicated, all usernames and passwords for the various web consoles are:

Username: admin Password: Fortinet1!

2. Click Security Fabric > Fabric Connectors.

3. Select the Security Fabric Setup card and click Edit.

4. Configure the following settings:

Security Fabric Role: Join Existing Fabric

Upstream FortiGate IP/FQDN: 10.10.30.14

Turn on Allow downstream device REST API access

Administrator profile: super_admin

SAML Single Sign-On: Manual

Management IP/FQDN: Specify 192.168.0.103

Management port: Use Admin Port

5. Click OK.

6. Click OK to Confirm.

7. Return to the Lab Activity tab, click FGT-EDGE in the sidebar menu under the Core group, and click HTTPS to access

Whats New in FortiOS Lab Guide


Page 9 of 66 Fortinet Training Institute
the FGT-EDGE device.

8. Click System > Firmware & Registration. The donut charts show that the Security Fabric includes one FortiGate Up
and that all firmware is current.

9. In the device list, select FGVM01TM19002141 (the serial number of FGT-ISFW).

10. Click Authorization > Authorize

11. After a few moments, FGT-ISFW is shown in the donut charts at the top of the page, along with the FortiSwitch that FGT-
ISFW manages. Press F5 to refresh the browser tab if the device doesn’t appear. Ignore the FortiSwitch registration
warning. This is only a limitation of the current lab and not typical of an actual production environment.

Authorize EMS Server (FGT-ISFW)

1. From the browser tab, log into FGT-ISFW via the web console.

2. Click Security Fabric > Fabric Connectors.

3. Edit FortiClient EMS Fabric Connector.

4. Click Authorize.

5. Click Accept to verify the EMS server certificate.

6. Click Security Fabric > Fabric Connectors.

7. The FortiClient EMS Fabric Connector should come up in a few seconds.

Note: If the EMS Fabric Connector color doesn’t change from Amber to white, press F5 to refresh the browser tab.

Whats New in FortiOS Lab Guide


Page 10 of 66 Fortinet Training Institute
2.2. MAC Address Threat Feed

Background

A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and MAC OUIs.

The list is periodically updated from an external server and stored in text file format on an external
server.

After FortiGate imports this list, it can be used as a source in firewall policies, proxy policies, and ZTNA rules. For policies in
transparent mode or virtual wire pair policies, the MAC address threat feed can be used as a source or destination address.

Text file example:

01:01:01:01:01:01

01:01:01:01:01:01-01:01:02:50:20:ff

8c:aa:b5

The file can contain one MAC address, MAC range, or MAC OUI per line.

The Security Admin at AcmeCorp finds out through the SOC team that Alice’s PC has been compromised with potential
malware installed on the device.

They now, need to immediately stop this device from accessing the AcmeCorp finance web portal. They instruct the security
team to add Alice’s sales network adapter MAC address to the MAC address threat feed list hosted on one of the servers.

Tasks

Test Connectivity (Pre-Threat Feed Integration)

1. From the Lab Activity: FortiOS tab, login to the Alice machine under the Sales group via the RDP option:

Username: alice Password: Fortinet1!

2. Open the web browser and click the Finance_Portal bookmark.

3. The portal login page comes up. It implies access to the portal is allowed.

4. Close the web browser.

5. Open the command prompt and type.

ipconfig /all

6. Scroll to the Sales Network adapter and review the associated MAC address.

Configure MAC Address Threat Feed

Whats New in FortiOS Lab Guide


Page 11 of 66 Fortinet Training Institute
1. From the Lab Activity: FortiOS tab, login to FGT-ISFW via the HTTPS option.

2. Click Security Fabric > External Connectors.

3. Click +Create New.

4. Under Threat Feeds, click MAC Address and use the following Connector Settings:

Status: Enabled

Name: MAC_List

Update Method: External Feed

URL of external resource: http://192.168.0.53/mac

HTTP basic authentication: Turn OFF

5. Click OK.

6. In case the connector card doesn’t show a green checkmark located at the bottom right corner click the refresh icon.

7. Right-click MAC_List Fabric connector and click View Entries to view the MAC address list.

Note: You will see Alice’s Sales network adapter MAC address listed here.

Configure Firewall Policy

1. Click Policy & Objects > Firewall Policy.

2. Click Cancel on the New Policy Layout pop-up window.

Note: You will check out this feature in a later lab exercise.

3. Click + Create New to add a new policy and use the following settings:

Name: MAC_List_Deny

Type: Standard

Incoming Interface: Sales Network (port 2)

Outgoing Interface: EDGE_ISFW Network (port4)

Whats New in FortiOS Lab Guide


Page 12 of 66 Fortinet Training Institute
Source: Address > MAC_List > Click Close

Destination: Finance_Web_Portal

Schedule: Always

Service: ALL

Action: DENY

4. Click OK.

5. Click MAC_List_Deny policy. Hover the mouse cursor on the left corner and drag this new policy to the top of the policy
list.

Test Connectivity (Post-Threat Feed Integration)

1. From the browser tab, log into Alice's machine via the web console.

2. Open the web browser and open a new incognito/private window.

3. Click the Finance_Portal browser bookmark again.

4. Access to the portal is denied and not allowed anymore.

5. Close the web browser.

Whats New in FortiOS Lab Guide


Page 13 of 66 Fortinet Training Institute
3. General GUI Changes
Introduction

Each major release of FortiOS includes updates to the GUI that improve performance, process flow, and ease of use.

The following section explores some of these new GUI features.

Time to Complete: 15 minutes

Whats New in FortiOS Lab Guide


Page 14 of 66 Fortinet Training Institute
3.1. FortiView

Background

Dashboard widgets and FortiView monitors are updated with new graphs, faster performance, and other updates that
improve the user experience.

Tasks

Initiate Web traffic (Alice)

1. From the Lab Activity: FortiOS tab, login to Alice via the RDP option using the following credentials:

Username: alice Password: Fortinet1!

2. Open a web browser. Right-click Blocked_Sites folder bookmark.

3. Click Open all (5).

4. Close the web browser.

FortiView

1. From the Lab Activity: FortiOS tab, login to FGT-EDGE via the HTTPS option using the following credentials:

Username: admin Password: Fortinet1!

2. Click the Search icon on the top left corner. FortiView pages can be found using the global search.

3. In the search bar, type fortiview sources

4. In the FortiView Sources dashboard, click the drop-down arrow icon > click Preview.

5. Set the time-lapse to 5 minutes from the drop-down tab.

6. Drill down on Source 172.16.10.50 by selecting it and right-click Drill down.

Whats New in FortiOS Lab Guide


Page 15 of 66 Fortinet Training Institute
7. Click the Threats tab. Right-click > Drill down on the failed-connection threat entry to drill down further to apply a
second-level filter.

8. Click Websites to view blocked connections to various destinations like Bet365, YouTube, Netflix, Bet365, etc. Click the X
at the top-right to remove the filter and show that tab again.

9. Click View Session Logs to see the log list details.

Whats New in FortiOS Lab Guide


Page 16 of 66 Fortinet Training Institute
10. Click X to close the session log window.

11. At the top, click +Add to dashboard.

Note: Multiple FortiView widgets can be added to custom dashboards. Filters that are applied to the expanded widgets
will remain after refreshing the browser.

12. Click Create New Dashboard.

13. Enter Name: Training

14. Click OK.

Note: The new Training dashboard has been created. Multiple FortiView widgets can be added to custom dashboards.

15. Click the FortiView Sessions widget.

16. Select any session entry and click End session(s) in the toolbar to end that session. On the FortiView Sessions page,
sessions can be ended by selecting the session or sessions and then clicking End session(s) in the toolbar or right-click
menu.

Whats New in FortiOS Lab Guide


Page 17 of 66 Fortinet Training Institute
Whats New in FortiOS Lab Guide
Page 18 of 66 Fortinet Training Institute
3.2. Dashboards

Dashboards

1. Click Dashboard > Status. The Licenses and Security Fabric widgets are updated with new visible icons all in one place
to improve the user experience and provide faster performance.

2. Expand the Security Fabric widget to see the Physical Topology.

Note: The topology in your lab might differ from the screenshot below.

3. Click the Logical Topology tab to see logical topology.

4. On the top right corner, click the Save as Monitor icon button.

5. Set Topology Type to Logical Topology.

6. Click OK to save the topology as a dashboard monitor.

Whats New in FortiOS Lab Guide


Page 19 of 66 Fortinet Training Institute
7. Click Dashboard > Assets & Identities.

8. A time range can be specified in the Assets widget.

9. Expand the Assets widget.

10. The expanded Assets widget is updated as compared to previous FortiOS versions to create a more streamlined
appearance and to conserve resources. The Asset Identity Center page offers a unified view of asset information,
consolidates data from various sources, and can handle significantly larger sets of data.

Note: The Assets dashboard in the lab might differ from the screenshot below:

Whats New in FortiOS Lab Guide


Page 20 of 66 Fortinet Training Institute
3.3. Packet Capture

Background

The Network > Diagnostics page now supports launching multiple packet captures at a time. From this page, you can run
both packet captures and debug flows within the GUI and see real-time information.

For example, ingress and egress interfaces can be captured at the same time to compare traffic, or the physical interface
and VPN interface can be captured using different filters to see if packets are leaving the VPN. The packet capture dialog can
be docked and minimized to run in the background. The minimized dialog aligns with other CLI terminals that are minimized.

In this exercise, you capture packets flowing from any interface on FGT-EDGE that reaches the host 8.8.8.8 and host 8.8.4.4
using ICMP.

Later in this exercise, you run a debug flow from the GUI to trace the flow of a packet through the FortiGate system.

Tasks

Run Simultaneous Packet Captures

1. From the Lab Activity tab, log in to FGT-EDGE under the Core group via the HTTPS option.

Username: admin Password: Fortinet1!

2. Click Network > Diagnostics > Packet Capture.

3. Click + New packet capture.

4. Set Interface to any.

5. Turn on the Maximum captured packets and set the value to 10.

6. Turn on Filters and click Basic.

7. Set Host to 8.8.8.8 and set Protocol number to 1.

8. Click Start Capture.

9. Click _ to minimize the packet capture window.

Note: Do NOT close the window.

10. Click + New packet capture.

11. Set Interface to any.

Whats New in FortiOS Lab Guide


Page 21 of 66 Fortinet Training Institute
12. Turn on the Maximum captured packets and set the value to 10.

13. Turn on Filters and click Basic.

14. Set Host to 8.8.4.4 and set Protocol number to 1.

15. Click Start Capture.

16. Click _ to minimize the packet capture window.

Note: Do NOT close the window.

17. Click the >_ button in the top-right corner to connect to the CLI console session.

18. Copy/paste the following commands and hit Enter:

execute ping-options repeat-count 10


execute ping 8.8.8.8

19. After ten ICMP pings are sent, copy/paste the following command and hit Enter:

execute ping 8.8.4.4

20. After 10 IMCP pings are sent, click X to close the CLI console session window.

21. At the bottom, click and open the Packet Capture 1.

22. Click on an individual packet to see more information about it.

Whats New in FortiOS Lab Guide


Page 22 of 66 Fortinet Training Institute
23. Click Save as pcap to save a PCAP file of the capture for further analysis.

24. Click X to close the Packet Capture 1 window.

25. At the bottom, click and open the Packet Capture 2. Click on an individual packet to see more information about it.

26. Click Back. In the upper-left corner of the GUI is a list of Recent Capture Criteria. If you want to run this specific capture
again, click it to load the saved settings.

Whats New in FortiOS Lab Guide


Page 23 of 66 Fortinet Training Institute
3.4. Debug Flow

Run Debug Flow

1. In the FGT-EDGE GUI, click Network > Diagnostics > Debug Flow.

2. Set the Number of packets to 20.

3. Turn on Filters.

4. Set the Filter type to Basic and set the IP type to IPv4.

5. Set the IP address to 8.8.8.8.

6. Set Protocol to Any.

7. Click Start debug flow.

8. Click the >_ button in the top-right corner to connect to the CLI. Type execute ping-options repeat-count 20 and
press Enter. Then type execute ping 8.8.8.8 and hit Enter. The FortiGate begins to ping 8.8.8.8 and will do so
twenty times.

9. Minimize the CLI screen. You can view the debug flow in real time.

Whats New in FortiOS Lab Guide


Page 24 of 66 Fortinet Training Institute
10. After 20 packets, the debug ends. You can also end it manually by clicking Stop debug flow.

11. Click Save as CSV to export a file of the debug flow.

12. The current output can be filtered in the GUI using the Time and Message columns.

Whats New in FortiOS Lab Guide


Page 25 of 66 Fortinet Training Institute
4. SD-WAN
Background

In the reality of today’s market, digital innovation is a necessity. From moving faster and more efficiently, to operating in
uncertain environments at a global scale, it all starts with the network.

Organizations and branches need both high-performance networks and strong security. The Fortinet Security-Driven
Networking solution is an integral component of the Fortinet Security Fabric, which enables complete visibility and provides
automated threat protection across the entire attack surface. Powered by a single operating system, it delivers industry-
leading security and unmatched performance, all while reducing complexity.

FortiOS is a security-hardened, purpose-built network operating system that is the software foundation of FortiGate, and the
entire Fortinet Security Fabric. Designed to deliver tightly integrated and intuitive security and networking capabilities
across your entire network, FortiOS delivers everything from core network functionality to software-defined wide-area
networking (SD-WAN) to best-in-class security that protects organizations end-to-end, including the ability to extend the
Fortinet Security Fabric to third-party solutions using application programming interfaces (APIs) and Security Fabric
connectors.

Seamless automation and orchestration built into FortiOS allows organizations to overcome resource and skills gaps, and
achieve desired digital innovation outcomes without compromise.

Time to Complete: 15 minutes

Whats New in FortiOS Lab Guide


Page 26 of 66 Fortinet Training Institute
4.1. SD-WAN Overlay

Background

FortiManager includes an automated SD-WAN overlay template with a wizard to automate and simplify the process using
recommended IPsec and BGP templates.

FortiManager 7.4 takes it one step further and now includes an automated SD-WAN post overlay process that creates
policies to allow the health-checks traffic to flow between Branch and HUB.

The SD-WAN overlay template includes two new options in the wizard to automate the post-wizard processes.

Normalize Interfaces: Enable the Normalize Interfaces option to normalize the SD-WAN zones created by the template.

Add Health Check Firewall Policy to Hub/Branch Policy Package: Enable the Add Health Check Firewall Policy to
Hub/Branch Policy Package option to create health check firewall policies (or policy blocks) for HUB(s) and branches.

Template Prerequisites

Import the FortiGate devices that will make up the hub and branch devices into FortiManager.

Configure the ISP links and other interfaces on your imported devices.

Create a device group for your branch devices.

In this exercise, you configure an SD-WAN overlap template for a single HUB SD-WAN using the managed FortiGate device.

Tasks

For this objective, you will be working on the FortiManager and FGT-BR1.

1. From the Lab Activity tab, log in to FortiManager under the Data Center group via the HTTPS option.

Username: admin Password: Fortinet1!

2. Click Device Manager > Provisioning Templates > Template Groups. Confirm that no groups exist.

3. Click Provisioning Templates > IPsec Tunnel. Confirm that only the three default templates exist.

4. Click Provisioning Templates > BGP. Confirm that only the two default templates exist.

5. Click Provisioning Templates > SD-WAN Overlay and click Create New to begin using the SD-WAN overlay template
wizard.

6. Set Name to HQ-Branch.

7. For Select New Topology, select Single HUB.

Whats New in FortiOS Lab Guide


Page 27 of 66 Fortinet Training Institute
8. Click Next.

9. Set Standalone HUB to FGT-HQ.

10. For Branch, set Device Group Assignment to Branch.

11. Toggle ON Automatic Branch ID Assignment. When Automatic Branch ID Assignment is enabled, FortiManager
automatically assigns and tracks a branch ID for each device in the branch device group. This also applies to devices
added to the branch device group in the future, as well as those added to the device group using a zero-touch
provisioning device blueprint.

12. Click Next.

13. Configure the following Network Configuration settings:

Standalone Hub:

WAN Underlay 1: port2

WAN Underlay 2: Private Link

WAN Underlay 2: port5

Branch Device Group:

WAN Underlay 1: port2

WAN Underlay 2: Private Link

WAN Underlay 2: port5

Whats New in FortiOS Lab Guide


Page 28 of 66 Fortinet Training Institute
14. Click Next.

15. Turn ON Normalize Interfaces.

16. Turn ON Add Health Check Firewall Policy to Hub Policy Package and select FGT-HQ from the drop-down list.

17. Turn ON Add Health Check Firewall Policy to Branch Policy Package and select FGT-BR1 from the drop-down list.

18. Click Next.

19. Review the summary and click Finish.

20. HQ-Branch appears in the template list.

Whats New in FortiOS Lab Guide


Page 29 of 66 Fortinet Training Institute
21. Click Device Manager > Provisioning Templates > Template Groups. The SD-WAN overlap template wizard created
two new template groups.

22. Click Provisioning Templates > IPsec Tunnel. The SD-WAN overlap template wizard created two new templates.

23. Click Provisioning Templates > BGP. The SD-WAN overlap template wizard created two new templates.

Whats New in FortiOS Lab Guide


Page 30 of 66 Fortinet Training Institute
4.2. Provision Template

Background

In this objective, you push the SD-WAN template configuration to FortiGates via FortiManager Install Wizard and review the
VPN status.

Tasks

1. In the FortiManager GUI, click Device & Groups > Managed FortiGate (2).

2. Click Install Wizard on the top of the screen.

3. Select Install Device Settings (only).

4. Click Next.

5. Select FGT-BR1 and FGT-HQ.

6. Click Next.

7. After FortiManager shows both devices as Connection Up, click Install.

8. Once the installation is complete, click Finish.

9. Press F5 to refresh the FortiManager browser tab. The Provisioning Templates column shows that the templates were
installed successfully.

10. Click Policy & Objects > Policy Packages.

Whats New in FortiOS Lab Guide


Page 31 of 66 Fortinet Training Institute
11. Expand FGT-HQ and click Firewall Policy.

12. Expand HQ-Branch_HBLK policy list. You see firewall policies (or policy blocks) are created automatically to allow SLA
health checks to each device loopback. The SD-WAN overlay template creates the policy block and applies it to the top of
the HUB Policy Package.

13. Click Policy & Objects > Advanced.

14. Select the branch_id variable and Click Edit to review. When Automatic Branch ID Assignment is enabled in the
provisioning template configuration, FortiManager automatically assigns and tracks a branch ID for each device in the
branch device group. This also applies to devices added to the branch device group in the future, as well as those added
to the device group using a zero-touch provisioning device blueprint.

Whats New in FortiOS Lab Guide


Page 32 of 66 Fortinet Training Institute
4.3. Review VPN Connection Status

Review VPN Connection Status

1. From the Lab Activity tab, log into FGT-BR1 under the Branch 1 group via HTTPS to option using the following
credentials:

Username: admin Password: Fortinet1!

2. An alert appears stating that this FortiGate is managed by a FortiManager. Click Login Read-Only.

3. Click Dashboard > Network. Locate and expand the IPsec widget. It shows the HUB1-VPN1 is up and running.

Whats New in FortiOS Lab Guide


Page 33 of 66 Fortinet Training Institute
5. ZTNA
Introduction

ZTNA is a Zero Trust Access (ZTA) capability that controls application access.

It extends the principles of ZTA to verify users and devices before every application session. ZTNA confirms that they meet
the organization’s policy to access that application.

Our unique approach, delivering Universal ZTNA as part of our FortiGate Next-Generation Firewall (NGFW) makes it uniquely
flexible, covering users when they are remote or in the office.

Universal ZTNA capabilities are automatically enabled on any device or service running FortiOS 7.0 and higher. This includes
hardware appliances, virtual machines in the cloud, and the FortiSASE service.

Time to Complete: 15 minutes

Whats New in FortiOS Lab Guide


Page 34 of 66 Fortinet Training Institute
5.1. Endpoint Management Server

Background

FortiClient Endpoint Management Server (FortiClient EMS) is a security management solution that enables scalable and
centralized management of multiple endpoints.

FortiClient EMS provides efficient and effective administration of endpoints running FortiClient. It provides visibility across
the network to securely share information and assign security policies to endpoints. It is designed to maximize operational
efficiency and includes automated capabilities for device management and troubleshooting.

Tasks

Configure Endpoint Policy

1. From the Lab Activity FortiOS tab, login to FortiClient EMS via the HTTPS option using the following credentials:

Username: admin Password: Fortinet1!

2. Click Endpoint Policy & Components.

3. Click Manage Policies.

4. On the top right corner, click +Add and use the following information:

Endpoint Policy Name: ZTNA.

Endpoint Groups: Click Edit and checkmark All Groups. Click Save.

Leave Profile set to Default.

On-Fabric Detection Rules: Click On-Net-172.16.10.0/24.

Whats New in FortiOS Lab Guide


Page 35 of 66 Fortinet Training Institute
5. Click Save.

Configure EMS Tag Sharing

1. In the EMS, click Administration > Fabric Devices.

2. Edit FGVM01TM19002141 (FGT-ISFW).

3. For FortiClient Endpoint Sharing, select Share All FortiClients from the drop-down list.

4. For Tag Types Being Shared, choose both Classification Tags and Zero Trust Tags.

5. Click Save.

Configure Zero Trust Tagging Rule

1. In FortiClient EMS, click Zero Trust Tags > Zero Trust Tagging Rules.

2. Click +Add and use the following information:

Name: Windows_Firewall.

Tag Endpoint As: Firewall_Enabled_Tag & press Enter key.

Note: Press the ENTER key to save the tag.

Whats New in FortiOS Lab Guide


Page 36 of 66 Fortinet Training Institute
Enabled: Turn ON.

3. Click +Add Rule and use the following information:

OS: Windows.

Rule Type: From the drop-down, choose Windows Security.

Windows Security: Windows Firewall is enabled.

4. Click Save.

5. Click Save.

Whats New in FortiOS Lab Guide


Page 37 of 66 Fortinet Training Institute
5.2. Logical AND Tag Matching Policy

Background

When configuring a firewall policy for IP- or MAC-based access control that uses different EMS tag types (such as ZTNA tags
and classification tags), a logical AND can be used for matching.

By separating each tag type into primary and secondary groups, the disparate tag types will be matched with a logical AND
operator.

Tasks

Configure Logical AND Tag Matching Policy

1. From the Lab Activity: FortiOS tab, login to FGT-ISFW via the HTTPS option using the following credentials:

Username: admin Password: Fortinet1!

2. Click Policy & Objects > Firewall Policy.

3. Click + Create New on top to create a new policy and use the following information:

Name: Logical_AND_Policy_Match

Type: Standard

Incoming Interface: Sales Network (port2)

Outgoing Interface: EDGE_ISFW Network (port4)

Source: all

IP/MAC Based Access Control: ZTNA IP Firewall_Enabled_Tag (Choose from the list & click Close)

Logical And With Secondary Tags: Specify

Secondary Tags: CLASS IP Low (Choose from the list & click Close)

Note: Low-risk endpoints are automatically tagged with this EMS classification tag.

Destination: DC_Server

Schedule: Always

Service: ALL

Action: ACCEPT

NAT: Turn OFF

Whats New in FortiOS Lab Guide


Page 38 of 66 Fortinet Training Institute
4. Click OK.

5. Click Logical_AND_Policy_Match policy. Hover the mouse cursor on the left corner and drag this new firewall policy to
the top of the policy list above the two other policies.

Whats New in FortiOS Lab Guide


Page 39 of 66 Fortinet Training Institute
5.3. Test Connection (Windows Firewall OFF)

Background

FortiClient is a Fabric Agent that delivers protection, compliance, and secure access in a single, modular lightweight client.

A Fabric Agent is a bit of endpoint software that runs on an endpoint, such as a laptop or mobile device, that communicates
with the Fortinet Security Fabric to provide information, visibility, and control to that device. It also enables secure, remote
connectivity to the Security Fabric.

Tasks

FortiClient Zero Trust Fabric Agent to EMS Server

1. From the Lab Activity: FortiOS tab, login to EMS using the HTTPS option.

Username: admin Password: Fortinet1!

2. Click Zero Trust Tags > Zero Trust Tag Monitor.

3. Expand the Low EMS classification Tag Category.

Note: Alice's machine has been tagged.

Test Connection (Windows Firewall OFF)

1. From the Lab Activity: FortiOS tab, login to Alice's machine using the RDP option.

Username: alice Password: Fortinet1!

2. From the Desktop, open the FortiClient console.

3. Click Zero Trust Telemetry.

Note: The EMS server centrally manages the endpoint machine.

4. From Alice's Desktop, open the web browser.

5. Click browser bookmark DC_Server.

Note: Access to the web server is denied because no logical AND policy is matched.

6. Close the web browser.

Whats New in FortiOS Lab Guide


Page 40 of 66 Fortinet Training Institute
5.4. Test Connection (Windows Firewall ON)

Background

In this lab objective, you turn on the Windows firewall and test ZTNA connectivity again.

Tasks

Turn ON the Windows Firewall

1. On Alice's machine, go to Control Panel > System & Security > Windows Firewall.

2. On the left side pane, click Turn Windows Firewall on or off.

3. For both Private/Public network settings, click Turn on Windows Firewall.

4. Click OK.

Check EMS Tag Monitor

1. From the lab activity tab, log in to FortiClient EMS using the HTTPS option.

Username: admin Password: Fortinet1!

2. Click Zero Trust Tags > Zero Trust Tag Monitor.

3. Expand Firewall_Enabled_Tag.

Note: Alice's machine has been successfully tagged with the new EMS tag. In case you don’t see the EMS tag, wait for a
few minutes.

Test Connection (Windows Firewall ON)

1. From the Lab Activity: FortiOS tab, log in to Alice using the RDP option.

Username: alice Password: Fortinet1!

2. From Alice's Desktop, open the web browser.

3. Click the DC_Server browser bookmark.

Whats New in FortiOS Lab Guide


Page 41 of 66 Fortinet Training Institute
4. Access to the corporate server is successful this time via matching EMS Tag policy.

Whats New in FortiOS Lab Guide


Page 42 of 66 Fortinet Training Institute
6. Policy & Objects
Introduction

This section includes information about policy and object-related new features.

Time to Complete: 15 minutes

Whats New in FortiOS Lab Guide


Page 43 of 66 Fortinet Training Institute
6.1. New Policy Layout

Background

Improvements to the FortiOS GUI backend have been implemented to speed up the loading of a large number of policies.

This is achieved by only loading the necessary data when needed, rather than loading all the data at once.

This can significantly improve performance and reduce the time it takes to load a large number of policies.

A new layout has also been introduced for the policy list with the option to choose between the new layout and the old
layout.

To switch between the classic and new policy list layout, select the style from the dropdown menu.

In this lab objective, you switch between the classic and new policy list layout, select the style from the dropdown menu, and
review the new policy features.

Tasks

1. From the browser tab, log in to FGT-EDGE using the web console.

2. Click Policy & Objects > Firewall Policy.

3. Click Use new layout.

4. Expand EDGE_DC Network (port3) -> ISP1 (port6) policy section and click DC_to_WAN1 policy.

Note: The new layout includes several features to enhance user experience. The edit, and delete buttons are identified
through new icons along with words below the policy. Selecting a policy also displays an inline menu with options to edit,
insert, disable, and delete policies, with the option to Show more options when hovered over.

5. Click Insert > Above.

6. A pane is used to insert, create, and edit policies instead of a separate page. When a policy is inserted in Interface Pair
View, the Incoming Interface and Destination Interface fields will be automatically filled. You can confirm the
location of the new policy in the right-side gutter before inserting the policy.

Whats New in FortiOS Lab Guide


Page 44 of 66 Fortinet Training Institute
7. Click Cancel.

8. You can now right-click in Interface Pair View to Expand All and then, click Collapse All sections.

Whats New in FortiOS Lab Guide


Page 45 of 66 Fortinet Training Institute
6.2. Workflow Management

Background

The Policy change summary and Policy expiration features of the FortiOS Workflow Management enforce an audit
trail for changes to firewall policies and allow administrators to set a date for the firewall policy to be disabled.

In this exercise, you set a policy expiration date and time with limited access to the web for the guest network.

Tasks

1. From the Lab Activity: FortiOS tab, login to FGT-EDGE via the HTTPS option using the following credentials:

Username: admin Password: Fortinet1!

2. Click System > Feature Visibility.

3. Under Additional Features, enable Workflow Management.

4. Click Apply.

5. Click System > Settings.

6. In the Workflow Management section, the review Policy change summary is set to Required.

Note: The default value for Policy expiration is 30 days. This number can be changed in the CLI or System > Settings
in the GUI to any value between zero and 365 days. If the default value is set to zero, the Default state will disable the
Policy expiration.

7. Click Apply.

8. Click Policy & Objects > Firewall Policy.

9. Expand EDGE_ISFW Network (port4) -> ISP1 (port6).

10. Edit the Guest_to_ISP1 firewall policy.

11. Under Workflow Management, enable Policy expiration.

12. Set the Expiration date to tomorrow’s date and the time 5:00 PM.

Note: Use the appropriate date, which will differ from the screenshot.

13. Click OK.

Whats New in FortiOS Lab Guide


Page 46 of 66 Fortinet Training Institute
14. The Workflow Management- Summarize Changes window will open.

15. In the Change Summary tab, type Policy expiration set.

16. Click OK.

17. From the Firewall Policy page, again Edit the Guest_to_ISP1 firewall policy.

18. Under Security Profiles, enable Web Filter and select default.

19. Click OK.

20. The Workflow Management- Summarize Changes window will open.

21. In the Change Summary tab, type Default Web Filter enabled.

22. Click OK.

23. From the Firewall Policy page, again edit the Guest_to_ISP1 firewall policy.

24. Under Additional Information, click Audit Trail.

Note: Policy change summaries are used to track changes made to a firewall policy. The Audit trail allows users to
review the policy change summaries, including the date and time of the change and which user made the change.

25. Click Close.

26. Click Cancel.

Whats New in FortiOS Lab Guide


Page 47 of 66 Fortinet Training Institute
7. Secure Access Switching
Introduction

FortiSwitch secure access switches are feature-rich, yet cost-effective, supporting the needs of enterprise campus and
branch office network connectivity.

With high-density 24 and 48-port models, which support 802.11at Power over Ethernet (PoE), you can power anything from
access points to VoIP handsets and surveillance cameras.

FortiSwitch integrates directly into FortiGate, allowing switch administration and access port security to be managed from
the same “single pane of glass.” Regardless of how users and devices are connected to the network (wired, wireless, or
VPN), you have complete visibility and control over your network security and access.

FortiSwitch VLANs appear just like any other interface on a FortiGate, meaning you can apply policies to FortiSwitch ports
just as you can with FortiGate “WLAN” ports. You even have visibility of per-port and switch-level PoE power usage. Unified
control of switches through FortiGate, together with security administration, simplifies remote management and
troubleshooting.

Time to Complete: 10 minutes

Whats New in FortiOS Lab Guide


Page 48 of 66 Fortinet Training Institute
7.1. FortiSwitch Management

Background

FortiOS includes features that enhance FortiSwitch management and further network deployment with minimal technical
expertise.

In this exercise, you go through the features of the FortiGate switch controller.

This includes the FortiSwitch topology view, the FortiSwitch Clients page, configuring of flap guard through the switch
controller, and allowing the FortiSwitch console port login to be disabled.

Tasks

Enhanced FortiSwitch Topology View

1. From the Lab Activity: FortiOS tab, login to FGT-ISFW via HTTPS using the following credentials:

Username: admin Password: Fortinet1!

2. Click WiFi & Switch Controller > Managed FortiSwitches.

3. Right-click FortiSwitch and click Diagnostics and Tools.

4. Check the Port Health section. When there are error frames, the port health is shown as Poor. When there are no error
frames, the port health is shown as Good.

5. Click Legend in the top right corner. It displays the Health Thresholds pane, which lists the thresholds for the Good,
Fair, and Poor ratings for General Health, Port Health, and MC-LAG Health.

Whats New in FortiOS Lab Guide


Page 49 of 66 Fortinet Training Institute
6. Click WiFi & Switch Controller > FortiSwitch Ports.

7. You can now clear port counters by right-clicking a port and selecting Clear port counters.

FortiSwitch Clients Page

1. Click WiFi & Switch Controller > FortiSwitch Clients. This page will list all devices connected to the FortiSwitch unit
for a particular VDOM.

2. Double-click the existing device to display the Device Info page. The page will display matching NAC policies and
dynamic port policies (if applicable).

3. You can create a Firewall Address and Quarantine Host by hovering the mouse over the device.

4. Click Cancel.

Whats New in FortiOS Lab Guide


Page 50 of 66 Fortinet Training Institute
Configure Flap Guard

The flap guard feature detects how many times a port changes status during a specified number of seconds.

If too many changes are detected, the system shuts down the port. After a port is shut down, you can manually reset the
port and restore it to the active state.

Flap guard is configured and enabled on each port through the switch controller. The default setting is disabled.

1. Click >_ in the top-right corner to connect to the CLI.

2. To configure flap guard on port 3, enter the following:

config switch-controller managed-switch


edit S108DVNLY2Z7AU8C
config ports
edit port3
set flapguard enable
set flap-rate 15
set flap-duration 100
set flap-timeout 30
end
end

3. To restore the port to service if flap guard shuts down port 3, you use the following command:

execute switch-controller flapguard reset S108DVNLY2Z7AU8C port3

Note: Because flapguard has not triggered on port 3, the above command will not reset the port at this time.

Disable the FortiSwitch Console Port Login

Administrators can use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console
port. By default, users can log in with the managed FortiSwitchOS console port.

1. Click >_ in the top-right corner to connect to the CLI.

2. Enter the following commands to disable login on the switch profile:

config switch-controller switch-profile


edit profile1
set login disable
end

3. Enter the following commands to apply the switch profile on the managed switch:

config switch-controller managed-switch


edit S108DVNLY2Z7AU8C
set switch-profile profile1
end

Whats New in FortiOS Lab Guide


Page 51 of 66 Fortinet Training Institute
8. Operational Technology
Introduction

Connections between IT and operational technology (OT) systems are no longer air-gapped, introducing the potential for
hackers to penetrate industrial control systems, risking the safety and availability of critical infrastructure.

Security for OT requires visibility, control, and analytics to meet safety and availability requirements.

AcmeCorp organization is looking to have visibility in their network and be able to identify what type of devices are
connecting and connected.

In this objective, you are going to explore FortiGate OT asset visibility and network topology.

Tabs are added to the Asset Identity Center page to view the OT asset list and OT network topology using Purdue Levels.

Time to Complete: 10 minutes

Whats New in FortiOS Lab Guide


Page 52 of 66 Fortinet Training Institute
8.1. FortiGate OT View

Background

In this objective, you will go work on the FortiGate-ISFW to view the OT asset list and OT network topology using Purdue
Levels.

Tasks

1. From the Lab Activity: FortiOS tab, login to FGT-ISFW via the HTTPS option using the following credentials:

Username: admin Password: Fortinet1!

2. Click System > Feature Visibility.

3. Under Additional Features, review Operational Technology (OT) is turned ON.

4. Click Apply.

5. Click Security Fabric > Asset Identity Center.

6. In the column header top left corner, hover the mouse cursor and click the settings gear box icon once it appears as
shown in the screenshot below.

7. Click Purdue Level and click Apply.

8. You can see the discovered PLC VM ending with the following MAC & IP addresses with Purdue Level 3:

Whats New in FortiOS Lab Guide


Page 53 of 66 Fortinet Training Institute
MAC: 00:0c:29:36:5f:9b & IP: 172.16.40.101
MAC: 00:0c:29:4e:a3:2d & IP: 172.16.40.102

Note: There are few other devices at the same Purdue Level 3.

9. Click the OT View on top.

Note: The OT View in your lab might differ from the screenshot shown below.

10. Click Unlock View. You are now able to freely drag and move devices to different levels. Do NOT move any devices yet.

Note: FortiGate and managed FortiSwitch devices are statically assigned to Purdue Level 2, other detected devices are
assigned to Purdue Level 3 by default and can be changed. You will be assigning the PLC VMs behind OT Network port6 to
Purdue Level 1 Basic Control.

11. On the top-right corner, click the >_ icon to open the CLI console session and enter the following commands:

config system interface


edit port6
set default-purdue-level 1
next
end
diag user device clear

12. On the OT View page wait for a few minutes and click the refresh icon next to Unlock View. You should be able to see
PLC VMs moved to Purdue Level 1.

Whats New in FortiOS Lab Guide


Page 54 of 66 Fortinet Training Institute
13. Click Asset Identity List.

Note: The Purdue Levels for the recently moved devices are set to 1 now.

Whats New in FortiOS Lab Guide


Page 55 of 66 Fortinet Training Institute
9. Networking
Introduction

This section includes lab objectives about new network-related FortiOS 7.4 features.

Time to Complete: 20 minutes

Whats New in FortiOS Lab Guide


Page 56 of 66 Fortinet Training Institute
9.1. DHCP Shared Subnet

Background

A FortiGate can act as a DHCP server and assign IP addresses from different subnets to clients on the same interface or
VLAN based on the requests coming from the same DHCP relay agent.

A FortiGate may have more than one server and pool associated with the relay agent, and it can assign IP addresses from
the next server when the current one is exhausted.

This way, the FortiGate can allocate IP addresses more efficiently and avoid wasting unused addresses in each subnet.

In this exercise, you will configure DHCP Relay on FGT-ISFW and two DHCP servers on FGT-EDGE.

Tasks

Configure DHCP Relay (FGT-ISFW)

1. From the Lab Activity: FortiOS tab, log into FGT-ISFW using the following credentials:

Username: admin Password: Fortinet1!

2. Click Network > Interfaces.

3. Click Sales Network (port2) > Edit.

Note: DHCP clients Alice and Carol's Windows machines are connected to the Sales Network (port2) interface of FGT-
ISFW.

4. Scroll down to turn ON the DHCP Server.

5. Click Advanced and use the following settings:

Mode: Relay

Type: Regular

DHCP Server IP: 10.10.30.14

Note: 10.10.30.14 is the FGT-EDGE port4 IP address. You will configure two DHCP servers on port 4 of the FGT-EDGE.

6. Click OK.

Configure DHCP Server 1 (FGT-EDGE - Port 4)

1. From the Lab Activity: FortiOS tab, log into FGT-EDGE via the HTTPS option using the following credentials:

Whats New in FortiOS Lab Guide


Page 57 of 66 Fortinet Training Institute
Username: admin Password: Fortinet1!

2. Click Network > Interfaces.

3. Click EDGE_ISFW Network (port4) > Edit.

4. Scroll down to turn ON DHCP Server and use the following settings:

DHCP status: Enabled

Address range: 172.16.10.10-172.16.10.10

Netmask: 255.255.255.0

Default Gateway: Click Specify 172.16.10.254

DNS Server: Same as System DNS

5. Click OK.

6. On the top-right corner, click the >_ icon to open the CLI console session and copy/paste the following commands to set
the FGT-ISFW Port2 (Sales Network) interface as the DHCP relay agent:

config system dhcp server


edit 1
set shared-subnet enable
set relay-agent 172.16.10.254
end

Configure DHCP Server 2 (FGT-EDGE - Port 4)

1. In the FGT-EDGE, use the same CLI console session and copy/paste the following commands to configure another DHCP
server 2 (IP Address Range 172.16.30.x/24) on the same interface Port4 and set the FGT-ISFW Sales interface as the DHCP
relay agent:

config system dhcp server


edit 2
set default-gateway 172.16.30.254
set netmask 255.255.255.0
set interface "port4"
config ip-range
edit 1
set start-ip 172.16.30.200
set end-ip 172.16.30.200
next

Whats New in FortiOS Lab Guide


Page 58 of 66 Fortinet Training Institute
end
set shared-subnet enable
set relay-agent 172.16.10.254
next
end

Review DHCP Server Configuration (FGT-EDGE)

1. In the FGT-EDGE, at the top-right corner, click the >_ icon to open the CLI console session and enter the following
command:

show system dhcp server.

Note: You will see DHCP server 1 and DHCP server 2 configurations with different IP address ranges set up on the same
port4 interface of FGT-EDGE and pointing to the same DHCP relay agent Sales (port2) interface IP of the FGT-ISFW.

Test DHCP Clients

Both Carol and Alice's client machines are connected to the same port4 (Sales network) interface on FGT-ISFW. In this
objective, you will verify the DHCP IP leases assigned to these devices.

Configure DHCP Automatic IP Addressing (Carol)

1. From the Lab Activity: FortiOS tab, login to Carol's machine via the RDP option using the following credentials:

Username: carol Password: Fortinet1!

2. Open Network and Sharing Center.

Whats New in FortiOS Lab Guide


Page 59 of 66 Fortinet Training Institute
3. Double-click Sales Network Adapter > Properties > TCP/IPv4 > Obtain an IP address automatically > Obtain DNS server
address automatically.

4. Click OK > OK > Close.

Configure DHCP Automatic IP Addressing (Alice)

1. From the Lab Activity: FortiOS tab, login to Alice's machine via the RDP option using the following credentials:

Username: alice Password: Fortinet1!

2. Open Network and Sharing Center.

3. Double-click Sales Network Adapter > Properties > TCP/IPv4 > Obtain an IP address automatically > Obtain DNS server
address automatically.

4. Click OK > OK > Close.

Verify DHCP Lease (FGT-EDGE)

1. From the Lab Activity: FortiOS tab, login to FGT-EDGE via the HTTPS option using the following credentials:

Username: admin Password: Fortinet1!

2. Click Dashboard > Network > DHCP widget.

3. Both Carol & Alice's machines are assigned IP addresses by FGT-EDGE (DHCP server) from two different subnets on the
same interface as requests are coming from the same DHCP relay agent FGT-ISFW. A FortiGate can assign IP addresses
from the next server when the first one is exhausted. This way, the FortiGate can allocate IP addresses more efficiently
and avoid wasting unused addresses in each subnet.

Whats New in FortiOS Lab Guide


Page 60 of 66 Fortinet Training Institute
Whats New in FortiOS Lab Guide
Page 61 of 66 Fortinet Training Institute
9.2. Route Tag Address Objects

Background

A route tag (route-tag) firewall address object can include IPv4 or IPv6 addresses associated with a BGP route tag number,
and is updated dynamically with BGP routing updates. The route tag firewall address object allows for a more dynamic and
flexible configuration that does not require manual intervention for dynamic routing updates.

This address object can be used wherever a firewall address can be used, such as in a firewall policy, a router policy, or an
SD-WAN service rule.

In this lab objective, you will configure and apply a route tag address object.

Note: The Route tag field has been removed from the Priority Rule configuration page (Network > SD-WAN > SD-WAN
Rules). The route-tag option has been removed from the config service settings under config system sdwan.

Tasks

Configure and Apply a Route Tag Address Object

1. From the Lab Activity: FortiOS tab, login to FGT-EDGE via the HTTPS option using the following credentials:

Username: admin Password: Fortinet1!

2. At the top right corner, click >_ to open a CLI console session and copy/paste the following commands:

config firewall address


edit sdwan_route_tag_10
set type route-tag
set route-tag 10
next
end

3. Click Policy & Objects > Firewall Policy.

4. Expand EDGE_ISFW Network (port4) -> ISP1 (port6) policy section.

5. Edit ISFW_to_WAN1 policy.

6. Set the Destination to sdwan_route_tag_10.

7. Click Close.

8. Click OK.

Whats New in FortiOS Lab Guide


Page 62 of 66 Fortinet Training Institute
9. In the Change summary dialog box, type Destination set to sdwan_route_tag_10.

10. Click OK.

Add Address to SD-WAN Service Rule

1. In the FGT-EDGE, click Network > SD-WAN.

2. Select the SD-WAN Rules tab.

3. Edit existing Rule #1.

4. In the Destination section, set the Address to sdwan_route_tag_10.

5. Click Close & click OK.

Review

Verify that the route tag firewall address is associated with firewall policy ID 2 (ISFW_to_WAN1):

1. At the top right corner, click >_ to open a CLI console session and copy/paste the following command:

diagnose firewall iprope list | grep -A 15 index=2

2. Scroll the list and locate the policy with policy index=2 and route_tag(1): 10 assigned to it.

Whats New in FortiOS Lab Guide


Page 63 of 66 Fortinet Training Institute
Whats New in FortiOS Lab Guide
Page 64 of 66 Fortinet Training Institute
10. Conclusion

This concludes the Fast Track Workshop lab activity. We hope you found the information provided useful and the user
experience compelling.

After completing this Fast Track workshop, you should know, how to:

Use the Security Fabric improvements to provide IT teams with a holistic view into devices, traffic, applications, and
events, in addition to the ability to stop a threat anywhere along its attack chain.

Enable the sharing and correlation of real-time threat intelligence by integrating devices using open standards, common
operating systems, and unified management platforms.

Use FortiOS ZTNA, OT, and SD-WAN capabilities to deliver unprecedented visibility, secure networking, and risk reduction
for cyber-physical and industrial control systems.

Whats New in FortiOS Lab Guide


Page 65 of 66 Fortinet Training Institute
10.1. Continued Education

Now that you've completed the What's New in FortiOS workshop, here are a few additional resources and some next
steps.

For continued learning about Fortinet solutions and products, please consider Fortinet NSE training:

https://training.fortinet.com/

Additional resources regarding new features of FortiOS can be found at the following locations:

FortiOS 7.2 New Features Guide


FortiOS 7.4 New Features Guide

Ask your instructor for more information about the following Fast Track workshops:

Introduction to Fortinet Network Security


Fortifying the Enterprise Firewall (NGFW Solution)
Constructing a Secure SD-WAN Architecture
The Evolution of Access to Applications with Fortinet ZTNA

Whats New in FortiOS Lab Guide


Page 66 of 66 Fortinet Training Institute

You might also like