LAB 01: System and Network Settings

Sumário
Lab 1: System and Network Settings ........................................................................................................... 3
Objectives.......................................................................................................................................... 3
Time to Complete ............................................................................................................................... 3
Exercise 1: Configuring FortiGate System Settings .................................................................................... 4
Review Local-FortiGate Network Settings ............................................................................................. 4
Enable the DHCP Server on Local-FortiGate ......................................................................................... 6
Exercise 2: Working With the CLI ............................................................................................................. 7
Explore the CLI ................................................................................................................................... 7
To explore the CLI ............................................................................................................................... 7
Action ................................................................................................................................................ 7
Exercise 3: Generating Configuration Backups........................................................................................ 11
Restore a Configuration From a Backup .............................................................................................. 11
Back Up and Encrypt a Configuration File ........................................................................................... 13
Exercise 4: Configuring Administrator Accounts ..................................................................................... 18
Configure a User Administrator Profile ................................................................................................ 18

2
Lab 1: System and Network Settings
In this lab, you will learn about FortiGate basic system and network factory default settings and apply changes
and modify the default factory settings. You will also perform administrative tasks through the CLI and GUI and
back up and restore a configuration file, as well as create a new administrator account and modify
administrator access permissions.

Objectives
• Review and change network settings

• Access the FortiGate CLI

• Back up and restore configuration files

• Locate the FortiGate model and FortiOS firmware build in a configuration file

• Create a new administrator user

• Restrict administrator access

Time to Complete
Estimated: 30 minutes

VM Usernames and Passwords

VM Username Password

Local-Client Administrator password

Remote-Client Administrator password

Local-FortiGate admin password

Remote-FortiGate admin password

ISFW admin password

FortiAnalyzer admin password

LAB-1 > System and Network Settings

3
Exercise 1: Configuring FortiGate System Settings
In this exercise, you will review the Local-FortiGate system settings and make changes to complete setting up
FortiGate on your network. You will enable the internal network DHCP server to allow hosts to receive the IP
address when connecting to Local-FortiGate.

Some of the settings in this lab have been preconfigured and are not the factory default settings of FortiGate.

Review Local-FortiGate Network Settings

You will review the port3 network interface on Local-FortiGate and you will also review the static routes.

To review the port3 network interface

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Network > Interfaces.

3. Click port3, and then click Edit.

You can double-click an object on the FortiGate GUI to view or edit the content
of the object.

4. In the Edit Interface window, review the information available on the right.

4
FortiGate displays its host name and status without the need to navigate away from your current work.

5. In the Role field, select WAN.

Stop and think!

Why do some of the settings appear or disappear when the role of an interface
changes?

Each role reflects the appropriate settings required to configure the

interface.The Undefined role displays all of the settings you can configure on an
interface.

5
 The purpose of choosing WAN as the role of the interface is to see that when this
interface is connected to an external connection, you may need to disable some
settings to configure the DHCP server setting.

6. In the Estimated bandwidth fields, review the WAN utilization values.

When the role of the interface is set to WAN, you can set the downstream and upstream maximum bandwidth.

7. Click Cancel to clear any changes made.

To review the static default gateway on Local-FortiGate

1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.

2. Click the static route entry, and then click Edit.

3. Expand the Advanced Options section.

You can set the priority value of the static route. When two routes have an equal distance, the route with a lower
priority number takes precedence

4. Click Cancel to clear any changes made.

Enable the DHCP Server on Local-FortiGate

You will enable the DHCP server on port3.

To enable the DHCP server on port3

1. Continuing on the Local-FortiGate GUI, click Network > Interfaces.

2. Click port3, and then click Edit.

3. In the Role field, select LAN.

6
 4. Enable DHCP Server.

Notice in the LAN role, the DHCP server appears on the GUI, unlike when the
role is set to WAN.

5. In the Address range field, type 10.0.1.1-10.0.1.250.

6. Click OK to save the changes.

LAB-1 > Configuring FortiGate System Settings

Exercise 2: Working With the CLI

In this exercise, you will access a FortiGate using the CLI.

Explore the CLI

You will become familiar with the FortiGate CLI.

To explore the CLI

1. Go to the Local-FortiGate CLI.

2. At the login prompt, type admin.

3. In the Password field, type password, and then press Enter.

4. Enter the following command:

get system status

This command displays basic status information about FortiGate. The output includes the FortiGate serial
number, operation mode, and so on. When the More prompt appears on the CLI, perform one of the following
actions:

Action Command

To continue scrolling Press the space bar.

7
 Action Command

To scroll one line at a time Press Enter.

To exit Type q.

5. Enter the following command:

get ?

The ? character is not

displayed on the screen.

This command shows all options that the CLI will accept after the get command. Depending on the command,
you may need to enter additional words to completely specify a configuration option.

6. Press the up arrow key.

This displays the previous get system status command.

7. Try some of the control key sequences shown in the following table:

Action Command

Previous command Up arrow

Next command Down arrow

Beginning of line Ctrl+a

End of line Ctrl+e

Back one word Ctrl+b

Forward one word Ctrl+f

Delete current character Ctrl+d

Clear screen Ctrl+l

8
 Action Command

Abort command and exit Ctrl+c

Auto repeat history Ctrl+p

8. Enter the following command:

execute ?

This command lists all options that the CLI accepts after the execute command.

9. Type exe, and then press the Tab key.

Notice that the CLI completes the current word.

10. Press the space bar, and then press the Tab key three times.

Each time you press the Tab key, the CLI replaces the second word with the next possible option for
the execute command, in alphabetical order.

You can abbreviate most commands. In lessons and labs, many of the
commands that you see are in abbreviated form. For example, instead of
typing execute, you can type exe.

Use this technique to reduce the number of keystrokes that are required to enter
a command. Often, experts can configure FortiGate faster using the CLI than
using the GUI.

If there are other commands that start with the same characters, your
abbreviation must be long enough to be specific, so that FortiGate can
distinguish them. Otherwise, the CLI displays an error message about
ambiguous commands.

9
 11. On a new line, enter the following command to view the port3 interface configuration (hint: try using the
shortcuts you just learned about):

show system interface port3

12. Enter the following command:

show full-configuration system interface port3

Stop and think!

Compare both outputs. How are they different?

The show full-configuration command displays all the configuration settings for
the interface. The show command displays only those values that are different
from the default values.

LAB-1 > Working With the CLI

10
Exercise 3: Generating Configuration Backups
In this exercise, you will learn how to generate and restore cleartext and encrypted configuration backups. The
configuration files that backups produce enable you to restore FortiGate to an earlier configuration.

Restore a Configuration From a Backup

You will restore a configuration from a backup.

To restore a configuration from a backup

1. Log in to the Local-Client VM with the username Administrator and password password.

The first time that you log in, you may need to click and drag the screen from the
bottom to bring up the login prompt.

2. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with
the username admin and password password.

You can also access the Local-FortiGate GUI from the bookmarks bar in the
Mozilla Firefox browser.

All lab exercises were tested running Firefox on the Local-Client and Remote-
Client VMs. To get consistent results, you should use Firefox to access both the
internet and the FortiGate GUIs in this virtual environment.

3. In the upper-right corner, click admin, and then click Configuration > Restore.

11
 4. Click Upload to select the backup configuration file from your local PC.

5. Click Desktop > Resources > FortiGate-Administrator > Introduction > local-initial.conf, and then
click Select.

6. Click OK.

7. Click OK to reboot.

After your browser uploads the configuration, FortiGate reboots automatically. This takes approximately 30–45
seconds.

8. When the Local-FortiGate GUI login page reappears after reboot, log in with the username admin and
password password.

9. Click Network > Interfaces, and then verify that the network interface settings were restored.

12
 10. Click Network > Static Routes, and then verify that the default route was restored.

Back Up and Encrypt a Configuration File

Always back up the configuration before making changes to FortiGate (even if the change seems minor or
unimportant). There is no undo. You should carefully consider the pros and cons of an encrypted backup before
you begin encrypting backups. While your configuration, including things like private keys, remains private, an
encrypted file hampers troubleshooting because Fortinet Support cannot read the file. Consider saving
backups in plaintext, and storing them in a secure place instead.

You will create an encrypted file with the backup of the FortiGate current configuration.

To save an encrypted configuration backup

1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with
the username admin and password password.

2. On the Local-FortiGate GUI, in the upper-right corner, click admin, and then
click Configuration > Backup.

3. On the Backup System Configuration page, enable Encryption.

4. In the Password and Confirm password fields, type fortinet.

13
 5. Click OK.

The Firefox browser saves the encrypted configuration file in the Downloads folder, by default. Ensure that you
record the password and store it in a secure place.

You can access downloaded files by clicking the download arrow button in the
upper-right corner of the browser.

Restore an Encrypted Configuration Backup

Restoring from a backup enables you to return FortiGate to a previous configuration. As a word of caution, if you
cannot recall the password required to decrypt an encrypted backup, you will not be able to restore FortiGate
to the backup. Ensure that you record the password and store it in a secure place.

You will restore the configuration backup that you created in the previous procedure.

Take the Expert Challenge!

Restore the configuration from the encrypted backup.

If you require assistance, or to verify your work, use the step-by-step instructions
that follow.

After you complete the challenge, see Compare the Headers of Two
Configuration Files on page 1.

To restore an encrypted configuration backup

1. On the Local-FortiGate GUI, in the upper-right corner, click admin, and then
click Configuration > Restore.

2. On the Restore System Configuration page, click Upload.

14
 3. Browse to your Downloads folder, and then select the configuration file that you created in the previous
procedure.

4. In the Password field, type fortinet, and then click OK.

5. Click OK to confirm that you want to restore the configuration.

FortiGate reboots.

Compare the Headers of Two Configuration Files

When you troubleshoot issues, or when you restore FortiGate to an earlier OS version or build, it is useful to
know where to find the version and build number in a configuration file. This task shows you where to find this
information.

You will open and compare two configuration files using Notepad++.

To compare the headers of two configuration files

1. On the Local-Client VM, click the Notepad++ icon.

15
 2. Click File > Open, and then browse to the Downloads folder to open the encrypted configuration file.

3. Click File > Open, and then browse to the initial configuration file:

Desktop\Resources\FortiGate-Security\Introduction\local-initial.conf

The configuration file opens in a second tab in Notepad++.

16
 4. Compare the headers in the two files.

The following example is an encrypted file:

The following example is a cleartext file:

In both the cleartext and encrypted configuration files, the top line acts as a
header, and lists the firmware and model that this configuration belongs to.

5. Close the two tabs in Notepad++, and then close the application.

LAB-1 > Generating Configuration Backups

17
Exercise 4: Configuring Administrator Accounts
FortiGate offers many options for configuring administrator privileges. For example, you can specify the IP
addresses that administrators are allowed to connect from.

In this exercise, you will work with administrator profiles and administrator user accounts. An administrator
profile is a role that is assigned to an administrator user that defines what the user is permitted to do on the
FortiGate GUI and CLI.

Configure a User Administrator Profile

You will create a new user administrator profile that has read-only access for most of the configuration settings.

To configure a user administrator profile

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click System > Admin Profiles.

3. Click Create New.

4. In the Name field, type Security_Admin_Profile.

5. In the permissions table, set Security Profile to Read/Write, and then set all other permissions
to Read.

18
 6. Click OK to save the changes.

Create an Administrator Account

You will create a new administrator account. You will assign the account to the administrator profile you
created in the previous procedure. The administrator will have read-only access to most of the configuration
settings.

To create an administrator account

1. On the Local-FortiGate GUI, click System > Administrators.

2. Click Create New, and then click Administrator to add a new administrator account.

3. On the New Administrator page, configure the following settings:

Field Value

Username Security

19
 Field Value

Type Local User

Password fortinet

Confirm Password fortinet

Administrator Profile Security_Admin_Profile

Administrator names and passwords are case sensitive. You can't include
characters, such as < > ( ) # ", in an administrator account name.

4. Click OK to save the changes.

Test the New Administrator Account

You will confirm that the new administrator account has read-write access to only the security profile
configuration.

To test the new administrator account

1. Continuing on the Local-FortiGate GUI, click admin, and then click Logout to log out of
the admin account GUI session.

20
 2. Log back in to the Local-FortiGate GUI with the username Security and password fortinet.

3. In the FortiGate Setup window, click Later.

4. Enable Don't show again, and then click OK to close the FortiOS introduction window.

5. Explore the settings that are available on the GUI.

You should see that this account can configure only security profiles.

6. Log out of the GUI.

Restrict Administrator Access

You will restrict access for FortiGate administrators. Only administrators connecting from a trusted subnet are
allowed access. This is useful if you must restrict the access points that administrators connect to FortiGate
from.

To restrict administrator access

1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI with the
username admin and password password.

2. Click System > Administrators.

3. Edit the Security account.

4. Enable Restrict login to trusted hosts, and then set Trusted Host 1 to the 10.200.3.0/24 address.

5. Click OK to save the changes.

6. Log out of the GUI.

Test the Restricted Access

You will verify that a Security administrator outside the 10.200.3.0/24 subnet can't access FortiGate.

To test the restricted access

21
 1. On the Local-Client VM, log out of the Local-FortiGate GUI session as the admin user.

2. Try to log in to the Security account with the password fortinet.

Authentication will fail.

3. Log in to the Remote-Client VM with the username Administrator and password password.

4. On the Remote-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.200.1.1 with
the username Security and password fortinet.

What is the result this time?

Stop and think!

Why were you able to log in using the admin account and not
the Security account from the Local-Client VM directly connecting to the Local-
FortiGate GUI?

This is because Trusted Host is set on the Security administrator account but
not on the admin account.

5. On the Local-FortiGate CLI, log in with the username admin and password password.

6. Enter the following CLI commands to add 10.0.1.0/24 as the second trusted IP subnet (Trusted Host 2)
to the Security administrator account:

config system admin

edit Security

set trusthost2 10.0.1.0/24

end

7. Return to the Local-Client VM.

8. Open a browser, and then try to log in to the Local-FortiGate GUI at 10.0.1.254 with the
username Security and password fortinet.

You should be able to log in.

LAB-1 > Configuring Administrator Accounts

22